Skip to content

PyJWKClient unbounded JWKS endpoint requests via attacker-controlled kid values (DoS)

Low severity GitHub Reviewed Published May 21, 2026 in jpadilla/pyjwt

Package

pip pyjwt (pip)

Affected versions

<= 2.12.1

Patched versions

2.13.0

Description

Note

The vulnerability surfaces only when a JWKS fetch fails; an attacker can attempt to provoke that with sustained unknown-kid traffic, but the outcome depends on upstream JWKS-endpoint behavior (rate limiting, transient errors) which is beyond the attacker's control. Impact is reduced auth availability until the next successful fetch, not complete denial of service.

Summary

PyJWKClient.get_signing_key() forces a fresh HTTP request to the JWKS endpoint for every JWT with an unknown kid value, with no rate limiting. Since kid comes from the unverified token header, an attacker can trigger unlimited outbound requests.

Additionally, fetch_data() finally block clears the JWKS cache on network error.

Root Cause

jwt/jwks_client.py:172-198 - get_signing_key(kid) calls get_signing_keys(refresh=True) for unknown kids, bypassing TTL cache with no cooldown.
jwt/jwks_client.py:120-122 - finally block writes None to cache on error, clearing valid data.

Impact

  • DoS against JWKS endpoint (unlimited requests per invalid token)
  • DoS against application (network I/O latency)
  • Cascading failure (rate limiting clears cache, breaking legitimate auth)

Suggested Fix

  1. Add refresh cooldown (refuse refresh more than once per TTL period)
  2. Move cache write from finally to else block

Affected Versions

All versions with PyJWKClient (2.4.0 through 2.12.1)

References

@jpadilla jpadilla published to jpadilla/pyjwt May 21, 2026
Published by the National Vulnerability Database May 28, 2026
Published to the GitHub Advisory Database Jun 15, 2026
Reviewed Jun 15, 2026

Severity

Low

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
High
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

EPSS score

Exploit Prediction Scoring System (EPSS)

This score estimates the probability of this vulnerability being exploited within the next 30 days. Data provided by FIRST.
(18th percentile)

Weaknesses

Improper Cleanup on Thrown Exception

The product does not clean up its state or incorrectly cleans up its state when an exception is thrown, leading to unexpected state or control flow. Learn more on MITRE.

Improper Handling of Exceptional Conditions

The product does not handle or incorrectly handles an exceptional condition. Learn more on MITRE.

CVE ID

CVE-2026-48524

GHSA ID

GHSA-fhv5-28vv-h8m8

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.