PYSEC-2026-1814

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/pyjwt/PYSEC-2026-1814.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-1814
Aliases
Published
2026-07-07T14:34:46.000573Z
Modified
2026-07-07T17:48:03.529862550Z
Severity
  • 2.2 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
  • 2.1 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
PyJWT Issuer field partial matches allowed
Details

Summary

The wrong string if check is run for iss checking, resulting in "acb" being accepted for "_abc_".

Details

This is a bug introduced in version 2.10.0: checking the "iss" claim changed from isinstance(issuer, list) to isinstance(issuer, Sequence).

-        if isinstance(issuer, list):
+        if isinstance(issuer, Sequence):
            if payload["iss"] not in issuer:
                raise InvalidIssuerError("Invalid issuer")
        else:

Since str is a Sequnce, but not a list, in is also used for string comparison. This results in if "abc" not in "__abcd__": being checked instead of if "abc" != "__abc__":.

PoC

Check out the unit tests added here: https://github.com/jpadilla/pyjwt-ghsa-75c5-xw7c-p5pm

        issuer = "urn:expected"

        payload = {"iss": "urn:"}

        token = jwt.encode(payload, "secret")

        # decode() succeeds, even though `"urn:" != "urn:expected". No exception is raised.
        with pytest.raises(InvalidIssuerError):
            jwt.decode(token, "secret", issuer=issuer, algorithms=["HS256"])

Impact

I would say the real world impact is not that high, seeing as the signature still has to match. We should still fix it.

References

Affected packages

PyPI / pyjwt

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.10.0
Fixed
2.10.1

Affected versions

2.*
2.10.0

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/pyjwt/PYSEC-2026-1814.yaml"