{
  "threat_severity" : "Moderate",
  "public_date" : "2026-03-20T22:37:13Z",
  "bugzilla" : {
    "description" : "SimpleJWT: SimpleJWT: Denial of Service via JWE header tampering",
    "id" : "2449822",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2449822"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.9",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
    "status" : "draft"
  },
  "cwe" : "CWE-325",
  "details" : [ "SimpleJWT is a simple JSON web token library written in PHP. Prior to version 1.1.1, an unauthenticated attacker can perform a Denial of Service via JWE header tampering when PBES2 algorithms are used. Applications that call JWE::decrypt() on attacker-controlled JWEs using PBES2 algorithms are affected. This issue has been patched in version 1.1.1.", "A flaw was found in SimpleJWT, a PHP library for JSON Web Tokens. An unauthenticated attacker can exploit this vulnerability by tampering with JSON Web Encryption (JWE) headers when Password-Based Key Derivation Function 2 (PBES2) algorithms are in use. This can lead to a Denial of Service (DoS) if an application calls JWE::decrypt() on attacker-controlled JWEs, making the affected application unavailable." ],
  "package_state" : [ {
    "product_name" : "Red Hat Ansible Automation Platform 2",
    "fix_state" : "Fix deferred",
    "package_name" : "python3.11-djangorestframework-simplejwt",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2"
  }, {
    "product_name" : "Red Hat Ansible Automation Platform 2",
    "fix_state" : "Fix deferred",
    "package_name" : "python3.12-djangorestframework-simplejwt",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2"
  }, {
    "product_name" : "Red Hat Ansible Automation Platform 2",
    "fix_state" : "Fix deferred",
    "package_name" : "python3x-djangorestframework-simplejwt",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2"
  }, {
    "product_name" : "Red Hat Ansible Automation Platform 2",
    "fix_state" : "Fix deferred",
    "package_name" : "python-djangorestframework-simplejwt",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-33204\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-33204\nhttps://github.com/kelvinmo/simplejwt/releases/tag/v1.1.1\nhttps://github.com/kelvinmo/simplejwt/security/advisories/GHSA-xw36-67f8-339x" ],
  "name" : "CVE-2026-33204",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}