https://vulnerability.circl.lu/sightings/feedMost recent sightings.2026-06-26T12:20:34.218388+00:00Vulnerability-Lookupinfo@circl.lupython-feedgenContains only the most 10 recent sightings.https://vulnerability.circl.lu/sighting/0dccc110-b203-4a63-b2bc-5ddccbf57c49/export0dccc110-b203-4a63-b2bc-5ddccbf57c492026-06-26T12:20:34.249159+00:00Automation userhttps://cve.circl.lu/user/automation{"uuid": "0dccc110-b203-4a63-b2bc-5ddccbf57c49", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-48524", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mmwjprwno32c", "content": "CVE-2026-48524 - PyJWT: PyJWKClient unbounded JWKS endpoint requests via attacker-controlled kid values (DoS)\nCVE ID : CVE-2026-48524\n \n Published : May 28, 2026, 4:16 p.m. | 15\u00a0minutes ago\n \n Description : PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, P...", "creation_timestamp": "2026-05-28T17:18:42.980532Z"}2026-05-28T17:18:42.980532+00:00https://vulnerability.circl.lu/sighting/5591fa28-478d-4f1a-a859-8aafd95196d5/export5591fa28-478d-4f1a-a859-8aafd95196d52026-06-26T12:20:34.248939+00:00Automation userhttps://cve.circl.lu/user/automation{"uuid": "5591fa28-478d-4f1a-a859-8aafd95196d5", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-48524", "type": "seen", "source": "https://gist.github.com/alon710/1f95260cf4713d452e9aa65f49fefae4", "content": "# CVE-2026-48524: CVE-2026-48524: Remote Cache Eviction and Authentication Denial of Service in PyJWT\n\n> **CVSS Score:** 3.7\n> **Published:** 2026-06-15\n> **Full Report:** https://cvereports.com/reports/CVE-2026-48524\n\n## Summary\nA logic flaw in PyJWT's PyJWKClient class allows remote unauthenticated attackers to trigger a complete authentication outage. By transmitting a volume of JWTs containing randomized, non-existent Key ID (kid) values, attackers force synchronous outbound JWKS resolution queries. When these queries fail or time out, a defect in the error cleanup code overwrites the local cache of valid signing keys with None, causing a denial of service.\n\n## TL;DR\nUnauthenticated attackers can send JWTs with randomized KIDs to force connection errors on the target's upstream JWKS endpoint. A flaw in the error cleanup sequence then writes None to the cache, evicting all legitimate signing keys and preventing legitimate users from authenticating.\n\n## Technical Details\n\n- **CWE ID**: CWE-460\n- **Attack Vector**: Network\n- **CVSS v3.1**: 3.7\n- **EPSS Score**: 0.00205\n- **Impact**: Denial of Service (DoS)\n- **Exploit Status**: none\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- Applications utilizing the pyjwt Python package prior to version 2.13.0 with PyJWKClient enabled for dynamic key retrieval.\n- **pyjwt**: < 2.13.0 (Fixed in: `2.13.0`)\n\n## Mitigation\n\n- Upgrade PyJWT to version 2.13.0 or higher\n- Implement rate limiting at the API Gateway or WAF level to throttle incoming requests with unique, unverified JWT headers\n- Validate the format and structure of the 'kid' header before initiating client database or remote lookup actions\n- Apply strict outbound connection limits and low timeouts on requests to dynamic JWKS endpoints\n\n**Remediation Steps:**\n1. Identify all deployment environments running Python-based JWT authentication layers.\n2. Check the installed PyJWT version using 'pip show pyjwt'.\n3. Upgrade the package to a safe version: 'pip install --upgrade \"pyjwt>=2.13.0\"'.\n4. Restart the application server instances to reload the newly patched dependency into memory.\n5. Set up application telemetry to alert on spikes of 'PyJWKClientConnectionError' or unhandled connection timeouts.\n\n## References\n\n- [GitHub Security Advisory GHSA-fhv5-28vv-h8m8](https://github.com/jpadilla/pyjwt/security/advisories/GHSA-fhv5-28vv-h8m8)\n- [Official CVE Record CVE-2026-48524](https://www.cve.org/CVERecord?id=CVE-2026-48524)\n- [PyJWT Commit Fix 95791b1759b8aa4f2203575d344d5c78564cdc81](https://github.com/jpadilla/pyjwt/commit/95791b1759b8aa4f2203575d344d5c78564cdc81)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-48524) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-15T17:41:21.000000Z"}2026-06-15T17:41:21+00:00https://vulnerability.circl.lu/sighting/2bbef858-e386-4134-bc11-91b87c1e74e8/export2bbef858-e386-4134-bc11-91b87c1e74e82026-06-26T12:20:34.246836+00:00Automation userhttps://cve.circl.lu/user/automation{"uuid": "2bbef858-e386-4134-bc11-91b87c1e74e8", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-48524", "type": "seen", "source": "https://gist.github.com/alon710/71d181c729157a76bf49cfdfcfefeae5", "content": "# CVE-2026-48524: CVE-2026-48524: Remote Cache Eviction and Authentication Denial of Service in PyJWT\n\n> **CVSS Score:** 3.7\n> **Published:** 2026-06-15\n> **Full Report:** https://cvereports.com/reports/CVE-2026-48524\n\n## Summary\nA logic flaw in PyJWT's PyJWKClient class allows remote unauthenticated attackers to trigger a complete authentication outage. By transmitting a volume of JWTs containing randomized, non-existent Key ID (kid) values, attackers force synchronous outbound JWKS resolution queries. When these queries fail or time out, a defect in the error cleanup code overwrites the local cache of valid signing keys with None, causing a denial of service.\n\n## TL;DR\nUnauthenticated attackers can send JWTs with randomized KIDs to force connection errors on the target's upstream JWKS endpoint. A flaw in the error cleanup sequence then writes None to the cache, evicting all legitimate signing keys and preventing legitimate users from authenticating.\n\n## Technical Details\n\n- **CWE ID**: CWE-460\n- **Attack Vector**: Network\n- **CVSS v3.1**: 3.7\n- **EPSS Score**: 0.00205\n- **Impact**: Denial of Service (DoS)\n- **Exploit Status**: none\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- Applications utilizing the pyjwt Python package prior to version 2.13.0 with PyJWKClient enabled for dynamic key retrieval.\n- **pyjwt**: < 2.13.0 (Fixed in: `2.13.0`)\n\n## Mitigation\n\n- Upgrade PyJWT to version 2.13.0 or higher\n- Implement rate limiting at the API Gateway or WAF level to throttle incoming requests with unique, unverified JWT headers\n- Validate the format and structure of the 'kid' header before initiating client database or remote lookup actions\n- Apply strict outbound connection limits and low timeouts on requests to dynamic JWKS endpoints\n\n**Remediation Steps:**\n1. Identify all deployment environments running Python-based JWT authentication layers.\n2. Check the installed PyJWT version using 'pip show pyjwt'.\n3. Upgrade the package to a safe version: 'pip install --upgrade \"pyjwt>=2.13.0\"'.\n4. Restart the application server instances to reload the newly patched dependency into memory.\n5. Set up application telemetry to alert on spikes of 'PyJWKClientConnectionError' or unhandled connection timeouts.\n\n## References\n\n- [GitHub Security Advisory GHSA-fhv5-28vv-h8m8](https://github.com/jpadilla/pyjwt/security/advisories/GHSA-fhv5-28vv-h8m8)\n- [Official CVE Record CVE-2026-48524](https://www.cve.org/CVERecord?id=CVE-2026-48524)\n- [PyJWT Commit Fix 95791b1759b8aa4f2203575d344d5c78564cdc81](https://github.com/jpadilla/pyjwt/commit/95791b1759b8aa4f2203575d344d5c78564cdc81)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-48524) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-15T23:21:16.000000Z"}2026-06-15T23:21:16+00:00