<div class="container">
<h1>Security update for python-PyJWT</h1>
<table class="table table-striped table-bordered">
<tbody>
<tr>
<th>Announcement ID:</th>
<td>SUSE-SU-2026:20839-1</td>
</tr>
<tr>
<th>Release Date:</th>
<td>2026-03-25T18:07:39Z</td>
</tr>
<tr>
<th>Rating:</th>
<td>important</td>
</tr>
<tr>
<th>References:</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1259616">bsc#1259616</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>
Cross-References:
</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2026-32597.html">CVE-2026-32597</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>CVSS scores:</th>
<td>
<ul class="list-group">
<li class="list-group-item">
<span class="cvss-reference">CVE-2026-32597</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">8.7</span>
<span class="cvss-vector">CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2026-32597</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">7.5</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2026-32597</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">7.5</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N</span>
</li>
</ul>
</td>
</tr>
<tr>
<th>Affected Products:</th>
<td>
<ul class="list-group">
<li class="list-group-item">SUSE Linux Micro 6.2</li>
</ul>
</td>
</tr>
</tbody>
</table>
<p>An update that solves one vulnerability can now be installed.</p>
<h2>Description:</h2>
<p>This update for python-PyJWT fixes the following issue:</p>
<p>Update to PyJWT 2.12.1:</p>
<ul>
<li>CVE-2026-32597: PyJWT accepts unknown <code>crit</code> header extensions (bsc#1259616).</li>
</ul>
<p>Changelog:</p>
<p>Update to 2.12.1:</p>
<ul>
<li>Add missing typing_extensions dependency for Python < 3.11 in
#1150</li>
</ul>
<p>Update to 2.12.0:</p>
<ul>
<li>Annotate PyJWKSet.keys for pyright by @tamird in #1134</li>
<li>Close HTTPError response to prevent ResourceWarning on
Python 3.14 by @veeceey in #1133</li>
<li>Do not keep algorithms dict in PyJWK instances by @akx in
#1143</li>
<li>Use PyJWK algorithm when encoding without explicit
algorithm in #1148</li>
<li>Docs: Add PyJWKClient API reference and document the
two-tier caching system (JWK Set cache and signing key LRU
cache).</li>
</ul>
<p>Update to 2.11.0:</p>
<ul>
<li>Enforce ECDSA curve validation per RFC 7518 Section 3.4.</li>
<li>Fix build system warnings by @kurtmckee in #1105</li>
<li>Validate key against allowed types for Algorithm family in
#964</li>
<li>Add iterator for JWKSet in #1041</li>
<li>Validate iss claim is a string during encoding and decoding
by @pachewise in #1040</li>
<li>Improve typing/logic for options in decode, decode_complete
by @pachewise in #1045</li>
<li>Declare float supported type for lifespan and timeout by
@nikitagashkov in #1068</li>
<li>Fix SyntaxWarnings/DeprecationWarnings caused by invalid
escape sequences by @kurtmckee in #1103</li>
<li>Development: Build a shared wheel once to speed up test
suite setup times by @kurtmckee in #1114</li>
<li>Development: Test type annotations across all supported
Python versions, increase the strictness of the type
checking, and remove the mypy pre-commit hook by @kurtmckee
in #1112</li>
<li>Support Python 3.14, and test against PyPy 3.10 and 3.11 by
@kurtmckee in #1104</li>
<li>Development: Migrate to build to test package building in
CI by @kurtmckee in #1108</li>
<li>Development: Improve coverage config and eliminate unused
test suite code by @kurtmckee in #1115</li>
<li>Docs: Standardize CHANGELOG links to PRs by @kurtmckee in
#1110</li>
<li>Docs: Fix Read the Docs builds by @kurtmckee in #1111</li>
<li>Docs: Add example of using leeway with nbf by @djw8605 in
#1034</li>
<li>Docs: Refactored docs with autodoc; added PyJWS and
jwt.algorithms docs by @pachewise in #1045</li>
<li>Docs: Documentation improvements for "sub" and "jti" claims
by @cleder in #1088</li>
<li>Development: Add pyupgrade as a pre-commit hook by
@kurtmckee in #1109</li>
<li>Add minimum key length validation for HMAC and RSA keys
(CWE-326). Warns by default via InsecureKeyLengthWarning
when keys are below minimum recommended lengths per RFC
7518 Section 3.2 (HMAC) and NIST SP 800-131A (RSA). Pass
enforce_minimum_key_length=True in options to PyJWT or
PyJWS to raise InvalidKeyError instead.</li>
<li>Refactor PyJWT to own an internal PyJWS instance instead of
calling global api_jws functions.</li>
</ul>
<h2>Patch Instructions:</h2>
<p>
To install this SUSE update use the SUSE recommended
installation methods like YaST online_update or "zypper patch".<br/>
Alternatively you can run the command listed for your product:
</p>
<ul class="list-group">
<li class="list-group-item">
SUSE Linux Micro 6.2
<br/>
<code>zypper in -t patch SUSE-SL-Micro-6.2-445=1</code>
</li>
</ul>
<h2>Package List:</h2>
<ul>
<li>
SUSE Linux Micro 6.2 (noarch)
<ul>
<li>python313-PyJWT-2.12.1-160000.1.1</li>
</ul>
</li>
</ul>
<h2>References:</h2>
<ul>
<li>
<a href="https://www.suse.com/security/cve/CVE-2026-32597.html">https://www.suse.com/security/cve/CVE-2026-32597.html</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1259616">https://bugzilla.suse.com/show_bug.cgi?id=1259616</a>
</li>
</ul>
</div>