{ "threat_severity" : "Important", "public_date" : "2026-03-12T21:41:50Z", "bugzilla" : { "description" : "pyjwt: PyJWT accepts unknown `crit` header extensions (RFC 7515 §4.1.11 MUST violation)", "id" : "2447194", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2447194" }, "cvss3" : { "cvss3_base_score" : "7.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "status" : "verified" }, "cwe" : "CWE-347", "details" : [ "PyJWT is a JSON Web Token implementation in Python. Prior to 2.12.0, PyJWT does not validate the crit (Critical) Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token instead of rejecting it. This violates the MUST requirement in the RFC. This vulnerability is fixed in 2.12.0.", "A missing verification step has been discovered in PyJWT. PyJWT does not validate the crit (Critical) Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token instead of rejecting it. This violates the MUST requirement in the RFC." ], "affected_release" : [ { "product_name" : "Red Hat Ansible Automation Platform 2.5 for RHEL 8", "release_date" : "2026-05-04T00:00:00Z", "advisory" : "RHSA-2026:13512", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.5::el8", "package" : "automation-controller-0:4.6.28-3.el8ap" }, { "product_name" : "Red Hat Ansible Automation Platform 2.5 for RHEL 8", "release_date" : "2026-05-04T00:00:00Z", "advisory" : "RHSA-2026:13512", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.5::el8", "package" : "python3.12-pyjwt-0:2.12.1-1.el8ap" }, { "product_name" : "Red Hat Ansible Automation Platform 2.5 for RHEL 9", "release_date" : "2026-05-04T00:00:00Z", "advisory" : "RHSA-2026:13512", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.5::el9", "package" : "automation-controller-0:4.6.28-3.el9ap" }, { "product_name" : "Red Hat Ansible Automation Platform 2.5 for RHEL 9", "release_date" : "2026-05-04T00:00:00Z", "advisory" : "RHSA-2026:13512", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.5::el9", "package" : "python3.12-pyjwt-0:2.12.1-1.el9ap" }, { "product_name" : "Red Hat Ansible Automation Platform 2.6 for RHEL 9", "release_date" : "2026-05-04T00:00:00Z", "advisory" : "RHSA-2026:13508", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.6::el9", "package" : "automation-controller-0:4.7.11-2.el9ap" }, { "product_name" : "Red Hat Ansible Automation Platform 2.6 for RHEL 9", "release_date" : "2026-05-04T00:00:00Z", "advisory" : "RHSA-2026:13508", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.6::el9", "package" : "python3.12-pyjwt-0:2.12.1-1.el9ap" }, { "product_name" : "Red Hat Enterprise Linux 10", "release_date" : "2026-05-06T00:00:00Z", "advisory" : "RHSA-2026:13916", "cpe" : "cpe:/o:redhat:enterprise_linux:10.1", "package" : "fence-agents-0:4.16.0-13.el10_1.4" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2026-04-30T00:00:00Z", "advisory" : "RHSA-2026:12176", "cpe" : "cpe:/a:redhat:enterprise_linux:8", "package" : "fence-agents-0:4.2.1-129.el8_10.25" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2026-05-05T00:00:00Z", "advisory" : "RHSA-2026:13672", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "fence-agents-0:4.10.0-98.el9_7.12" }, { "product_name" : "Red Hat AI Inference Server 3.3", "release_date" : "2026-04-17T00:00:00Z", "advisory" : "RHSA-2026:8746", "cpe" : "cpe:/a:redhat:ai_inference_server:3.3::el9", "package" : "rhaiis/vllm-cuda-rhel9:1775680192" }, { "product_name" : "Red Hat AI Inference Server 3.3", "release_date" : "2026-04-17T00:00:00Z", "advisory" : "RHSA-2026:8747", "cpe" : "cpe:/a:redhat:ai_inference_server:3.3::el9", "package" : "rhaiis/vllm-rocm-rhel9:1775680262" }, { "product_name" : "Red Hat AI Inference Server 3.3", "release_date" : "2026-04-17T00:00:00Z", "advisory" : "RHSA-2026:8748", "cpe" : "cpe:/a:redhat:ai_inference_server:3.3::el9", "package" : "rhaiis/model-opt-cuda-rhel9:1775749857" }, { "product_name" : "Red Hat Ansible Automation Platform 2.5", "release_date" : "2026-05-04T00:00:00Z", "advisory" : "RHSA-2026:13553", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.5::el8", "package" : "ansible-automation-platform-25/gateway-rhel8:1777394109" }, { "product_name" : "Red Hat Ansible Automation Platform 2.5", "release_date" : "2026-05-04T00:00:00Z", "advisory" : "RHSA-2026:13553", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.5::el8", "package" : "ansible-automation-platform-25/lightspeed-rhel8:1777403872" }, { "product_name" : "Red Hat Ansible Automation Platform 2.6", "release_date" : "2026-05-04T00:00:00Z", "advisory" : "RHSA-2026:13545", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.6::el9", "package" : "ansible-automation-platform-26/eda-controller-rhel9:1777296732" }, { "product_name" : "Red Hat Ansible Automation Platform 2.6", "release_date" : "2026-05-04T00:00:00Z", "advisory" : "RHSA-2026:13545", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.6::el9", "package" : "ansible-automation-platform-26/ee-supported-rhel9:1777391447" }, { "product_name" : "Red Hat Ansible Automation Platform 2.6", "release_date" : "2026-05-04T00:00:00Z", "advisory" : "RHSA-2026:13545", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.6::el9", "package" : "ansible-automation-platform-26/gateway-rhel9:1777311120" }, { "product_name" : "Red Hat Ansible Automation Platform 2.6", "release_date" : "2026-05-04T00:00:00Z", "advisory" : "RHSA-2026:13545", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.6::el9", "package" : "ansible-automation-platform-26/hub-rhel9:1777299023" }, { "product_name" : "Red Hat Ansible Automation Platform 2.6", "release_date" : "2026-05-04T00:00:00Z", "advisory" : "RHSA-2026:13545", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.6::el9", "package" : "ansible-automation-platform-26/lightspeed-chatbot-rhel9:1777398576" }, { "product_name" : "Red Hat Ansible Automation Platform 2.6", "release_date" : "2026-05-04T00:00:00Z", "advisory" : "RHSA-2026:13545", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.6::el9", "package" : "ansible-automation-platform-26/lightspeed-rhel9:1777387242" }, { "product_name" : "Red Hat Ansible Automation Platform 2.6", "release_date" : "2026-05-04T00:00:00Z", "advisory" : "RHSA-2026:13545", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.6::el9", "package" : "ansible-automation-platform-26/mcp-tools-rhel9:1777311601" }, { "product_name" : "Red Hat Enterprise Linux AI 3.3", "release_date" : "2026-04-23T00:00:00Z", "advisory" : "RHSA-2026:10140", "cpe" : "cpe:/a:redhat:enterprise_linux_ai:3.3::el9", "package" : "rhelai3/bootc-aws-cuda-rhel9:1776871984" }, { "product_name" : "Red Hat Enterprise Linux AI 3.3", "release_date" : "2026-04-23T00:00:00Z", "advisory" : "RHSA-2026:10140", "cpe" : "cpe:/a:redhat:enterprise_linux_ai:3.3::el9", "package" : "rhelai3/bootc-azure-cuda-rhel9:1776871985" }, { "product_name" : "Red Hat Enterprise Linux AI 3.3", "release_date" : "2026-04-23T00:00:00Z", "advisory" : "RHSA-2026:10140", "cpe" : "cpe:/a:redhat:enterprise_linux_ai:3.3::el9", "package" : "rhelai3/bootc-azure-rocm-rhel9:1776872005" }, { "product_name" : "Red Hat Enterprise Linux AI 3.3", "release_date" : "2026-04-23T00:00:00Z", "advisory" : "RHSA-2026:10140", "cpe" : "cpe:/a:redhat:enterprise_linux_ai:3.3::el9", "package" : "rhelai3/bootc-cuda-rhel9:1776773390" }, { "product_name" : "Red Hat Enterprise Linux AI 3.3", "release_date" : "2026-04-23T00:00:00Z", "advisory" : "RHSA-2026:10140", "cpe" : "cpe:/a:redhat:enterprise_linux_ai:3.3::el9", "package" : "rhelai3/bootc-gcp-cuda-rhel9:1776871987" }, { "product_name" : "Red Hat Enterprise Linux AI 3.3", "release_date" : "2026-04-23T00:00:00Z", "advisory" : "RHSA-2026:10140", "cpe" : "cpe:/a:redhat:enterprise_linux_ai:3.3::el9", "package" : "rhelai3/bootc-rocm-rhel9:1776773505" }, { "product_name" : "Red Hat Enterprise Linux AI 3.3", "release_date" : "2026-04-23T00:00:00Z", "advisory" : "RHSA-2026:10141", "cpe" : "cpe:/a:redhat:enterprise_linux_ai:3.3::el9", "package" : "rhelai3/disk-image-cuda-rhel9:1776938871" }, { "product_name" : "Red Hat OpenShift AI 2.25", "release_date" : "2026-04-23T00:00:00Z", "advisory" : "RHSA-2026:10184", "cpe" : "cpe:/a:redhat:openshift_ai:2.25::el9", "package" : "rhoai/odh-feature-server-rhel9:1776338381" }, { "product_name" : "Red Hat OpenShift AI 2.25", "release_date" : "2026-04-23T00:00:00Z", "advisory" : "RHSA-2026:10184", "cpe" : "cpe:/a:redhat:openshift_ai:2.25::el9", "package" : "rhoai/odh-kserve-storage-initializer-rhel9:1776343111" }, { "product_name" : "Red Hat Quay 3.1", "release_date" : "2026-04-07T00:00:00Z", "advisory" : "RHSA-2026:6912", "cpe" : "cpe:/a:redhat:quay:3.10::el8", "package" : "quay/quay-rhel8:1775169155" }, { "product_name" : "Red Hat Quay 3.12", "release_date" : "2026-04-06T00:00:00Z", "advisory" : "RHSA-2026:6720", "cpe" : "cpe:/a:redhat:quay:3.12::el8", "package" : "quay/quay-rhel8:1775253092" }, { "product_name" : "Red Hat Quay 3.15", "release_date" : "2026-04-03T00:00:00Z", "advisory" : "RHSA-2026:6568", "cpe" : "cpe:/a:redhat:quay:3.15::el8", "package" : "quay/quay-rhel8:1775169219" }, { "product_name" : "Red Hat Quay 3.9", "release_date" : "2026-04-07T00:00:00Z", "advisory" : "RHSA-2026:6926", "cpe" : "cpe:/a:redhat:quay:3.9::el8", "package" : "quay/quay-rhel8:1775169218" }, { "product_name" : "Red Hat Trusted Artifact Signer 1.4", "release_date" : "2026-04-16T00:00:00Z", "advisory" : "RHSA-2026:8437", "cpe" : "cpe:/a:redhat:trusted_artifact_signer:1.4::el9", "package" : "rhtas/model-transparency-rhel9:1775815407" } ], "package_state" : [ { "product_name" : "OpenShift Lightspeed", "fix_state" : "Affected", "package_name" : "openshift-lightspeed/lightspeed-ocp-rag-rhel9", "cpe" : "cpe:/a:redhat:openshift_lightspeed" }, { "product_name" : "OpenShift Lightspeed", "fix_state" : "Will not fix", "package_name" : "openshift-lightspeed/lightspeed-service-api-rhel9", "cpe" : "cpe:/a:redhat:openshift_lightspeed" }, { "product_name" : "OpenShift Lightspeed", "fix_state" : "Affected", "package_name" : "openshift-lightspeed/lightspeed-to-dataverse-exporter-rhel9", "cpe" : "cpe:/a:redhat:openshift_lightspeed" }, { "product_name" : "Red Hat AI Inference Server", "fix_state" : "Affected", "package_name" : "rhaiis/vllm-cpu-rhel9", "cpe" : "cpe:/a:redhat:ai_inference_server:3" }, { "product_name" : "Red Hat AI Inference Server", "fix_state" : "Affected", "package_name" : "rhaiis/vllm-tpu-rhel9", "cpe" : "cpe:/a:redhat:ai_inference_server:3" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Not affected", "package_name" : "ansible-automation-platform-24/ee-supported-rhel8", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Not affected", "package_name" : "ansible-automation-platform-24/platform-resource-runner-rhel8", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Not affected", "package_name" : "ansible-automation-platform-25/ee-supported-rhel8", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Will not fix", "package_name" : "ansible-automation-platform-25/lightspeed-chatbot-rhel8", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Affected", "package_name" : "ansible-automation-platform-26/controller-rhel9", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Affected", "package_name" : "ansible-automation-platform/automation-dashboard-rhel9", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Not affected", "package_name" : "ansible-automation-platform-tech-preview/automation-dashboard-rhel9", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Not affected", "package_name" : "rhoai/odh-kserve-agent-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Not affected", "package_name" : "rhoai/odh-kserve-controller-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Not affected", "package_name" : "rhoai/odh-kserve-router-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Affected", "package_name" : "rhoai/odh-llama-stack-core-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Not affected", "package_name" : "rhoai/odh-mlflow-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Affected", "package_name" : "rhoai/odh-pipeline-runtime-datascience-cpu-py312-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Not affected", "package_name" : "rhoai/odh-pipeline-runtime-minimal-cpu-py312-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Affected", "package_name" : "rhoai/odh-pipeline-runtime-pytorch-cuda-py312-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Affected", "package_name" : "rhoai/odh-pipeline-runtime-pytorch-llmcompressor-cuda-py312-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Affected", "package_name" : "rhoai/odh-pipeline-runtime-pytorch-rocm-py312-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Affected", "package_name" : "rhoai/odh-pipeline-runtime-tensorflow-cuda-py312-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Affected", "package_name" : "rhoai/odh-pipeline-runtime-tensorflow-rocm-py312-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Affected", "package_name" : "rhoai/odh-trustyai-garak-lls-provider-dsp-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Affected", "package_name" : "rhoai/odh-vllm-cpu-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Affected", "package_name" : "rhoai/odh-vllm-gaudi-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Affected", "package_name" : "rhoai/odh-workbench-codeserver-datascience-cpu-py312-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Affected", "package_name" : "rhoai/odh-workbench-jupyter-datascience-cpu-py312-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Not affected", "package_name" : "rhoai/odh-workbench-jupyter-minimal-cpu-py312-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Not affected", "package_name" : "rhoai/odh-workbench-jupyter-minimal-cuda-py312-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Not affected", "package_name" : "rhoai/odh-workbench-jupyter-minimal-rocm-py312-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Affected", "package_name" : "rhoai/odh-workbench-jupyter-pytorch-cuda-py312-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Affected", "package_name" : "rhoai/odh-workbench-jupyter-pytorch-llmcompressor-cuda-py312-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Affected", "package_name" : "rhoai/odh-workbench-jupyter-pytorch-rocm-py312-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Affected", "package_name" : "rhoai/odh-workbench-jupyter-tensorflow-cuda-py312-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Affected", "package_name" : "rhoai/odh-workbench-jupyter-tensorflow-rocm-py312-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Affected", "package_name" : "rhoai/odh-workbench-jupyter-trustyai-cpu-py312-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat Quay 3", "fix_state" : "Affected", "package_name" : "quay/quay-rhel9", "cpe" : "cpe:/a:redhat:quay:3" }, { "product_name" : "Red Hat Satellite 6", "fix_state" : "Affected", "package_name" : "satellite/foreman-mcp-server-rhel9", "cpe" : "cpe:/a:redhat:satellite:6" }, { "product_name" : "Red Hat Satellite 6", "fix_state" : "Affected", "package_name" : "satellite/iop-host-inventory-rhel9", "cpe" : "cpe:/a:redhat:satellite:6" }, { "product_name" : "Red Hat Trusted Artifact Signer", "fix_state" : "Affected", "package_name" : "rhtas/segment-reporting-rhel9", "cpe" : "cpe:/a:redhat:trusted_artifact_signer:1" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-32597\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-32597\nhttps://github.com/jpadilla/pyjwt/security/advisories/GHSA-752w-5fwx-jx9f" ], "name" : "CVE-2026-32597", "mitigation" : { "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", "lang" : "en:us" }, "csaw" : false }