The PyJWT crit header bypass vulnerability (CVE-2026-32597) can let attackers forge tokens; verify if your systems are affected, apply updates automatically, or block the issue now with proxy rules or AppArmor. This security guide works for any Linux environment including Rocky Linux, Debian, Ubuntu, CentOS, and RHEL.
A security vulnerability was identified in PyJWT (Python JSON Web Token library) in early 2026. This issue remains relevant as long as you run any version prior to the patched releases because the vulnerability is structural, not time-bound. All system administrators who handle token-based authentication should verify their PyJWT versions and apply the appropriate fixes.
What is the issue?
PyJWT versions before 2.12.0 (and before 1.7.1-2+deb11u1 for Debian 11) do not validate the "crit" (Critical) Header Parameter defined in RFC 7515 Section 4.1.11.
When a JWS (JSON Web Signature) token contains a "crit" array listing extensions that PyJWT does not recognize, the library incorrectly accepts the token instead of rejecting it. This violates the mandatory requirement in the RFC and allows attackers to bypass security policy enforcement.
Put simply: If you use PyJWT to verify JWT tokens, an attacker could craft a token with critical extensions your system doesn't understand, and your code would accept it as valid. Patches are available for all major Linux distributions.
How to check if your system is vulnerable
Run these commands to see which PyJWT version you have installed:
For Rocky Linux, AlmaLinux, CentOS, RHEL
# Check installed version via RPM rpm -qa | grep -i pyjwt # Alternatively, if installed via pip python3 -c "import jwt; print(jwt.__version__)"
apt list --installed | grep -i pyjwt dpkg -l | grep -i pyjwt
For general Python check
pip3 show PyJWT | grep Version python3 -c "import jwt; print(jwt.__version__)"
You are vulnerable if:
You are running PyJWT < 2.12.0
You are running Debian 11 Bullseye with pyjwt < 1.7.1-2+deb11u1
You are running any distribution where pyjwt is older than these patched versions
Automation script to apply the fix
Save this script as fix-pyjwt.sh and run it with root privileges. It automatically detects your Linux distribution and applies the appropriate update:
#!/bin/bash # PyJWT Security Fix Automation Script # Run this script as root or with sudo set -e # Detect distribution if [ -f /etc/os-release ]; then . /etc/os-release OS=$ID VERSION=$VERSION_ID else echo "Cannot detect Linux distribution." exit 1 fi echo "Detected OS: $OS $VERSION" echo "Updating PyJWT to patched version..." case $OS in debian|ubuntu) apt update apt upgrade -y python3-jwt pyjwt ;; rocky|almalinux|centos|rhel|fedora) # For newer versions using dnf if command -v dnf &> /dev/null; then dnf update -y python3-pyjwt else yum update -y python3-pyjwt fi ;; suse|opensuse) zypper refresh zypper update -y python-PyJWT ;; arch|manjaro) pacman -Syu --noconfirm python-pyjwt ;; *) echo "Unsupported OS: $OS" echo "Attempting pip-based update instead..." pip3 install --upgrade PyJWT ;; esac # Verify version after update echo "Verifying PyJWT version..." python3 -c "import jwt; assert jwt.__version__ >= '2.12.0', 'Still vulnerable: Version ' + jwt.__version__; print('PyJWT successfully updated to version', jwt.__version__)"
Make the script executable and run it:
chmod +x fix-pyjwt.sh sudo ./fix-pyjwt.sh
Create your own Laboratory
If you want to test security patches like this one before pushing them to your production servers, the smartest (and cheapest) setup is a dedicated security lab at home.
The hardware bundle that makes this dead simple is the CanaKit Raspberry Pi Starter Kit. It is the go-to foundation for building a security testing environment because it removes all the guesswork:
No hunting for parts: The kit includes everything in one box – the board, a preloaded microSD card, a power supply, and a case.
It's built for power users: The latest generation delivers 2-3x the CPU performance of the previous models, which means you can spin up multiple virtual machines or containers for a realistic lab.
Plug-and-play OS: The included microSD card comes pre-loaded with Raspberry Pi OS, so you can set up your lab in less than ten minutes. From there, you install tools like Kali Linux or Docker to replicate your exact production environment.
It pays for itself: Testing a patch on a dedicated device costs a fraction of what a single incident or recovery window would cost your organization.
Don’t risk breaking your production environment to test a fix. Build a dedicated lab. Get the complete CanaKit setup here
Buy on Amazon (adversiting) https://amzn.to/3QOrOKY
This post contains affiliate links. We may earn a commission on qualifying purchases.
Alternative mitigation if you cannot update now
If you cannot update PyJWT immediately – for example, if you are frozen in a legacy environment or waiting for approval – use these workarounds to block malicious tokens:
1. Block tokens with unknown "crit" headers using a reverse proxy
Add this nginx rule to reject requests containing unknown critical extensions:
location /api/ { # Reject requests with suspicious JWT headers if ($http_authorization ~* "crit":\s*\[[^\]]*unknown") { return 403; } proxy_pass http://your_backend; }
2. Restrict PyJWT usage with AppArmor
Create an AppArmor profile to limit PyJWT's file access and network capabilities.
Add this to your existing profile or create a new one:
/usr/local/lib/python3.*/site-packages/jwt/** r, deny /usr/local/lib/python3.*/site-packages/jwt/** w,
3. Validate tokens at the network edge with iptables
While not a complete solution, you can limit incoming traffic to your API:
# Limit the rate of requests to your API endpoint iptables -A INPUT -p tcp --dport 8080 -m limit --limit 25/minute --limit-burst 40 -j ACCEPT iptables -A INPUT -p tcp --dport 8080 -j DROP
4. Implement explicit algorithm whitelisting in your application code
# Instead of allowing any algorithm, explicitly whitelist only what you use jwt.decode(token, key, algorithms=["RS256", "HS256"])
Take action now
Verify your PyJWT versions across your infrastructure, apply the updates using the script above, and if you block tokens that contain unknown critical header extensions. This vulnerability directly affects authentication – treating it as a routine patch could leave your systems exposed until you check.
Nenhum comentário:
Postar um comentário