PyJWT accepts unknown `crit` header extensions (RFC 7515 §4.1.11 MUST violation)
Summary
PyJWT accepts unknown `crit` header extensions (RFC 7515 §4.1.11 MUST violation). Red Hat rates this important (CVSS 7.5). Weakness: CWE-347. Affected package(s): ansible-automation-platform, python3.12-pyjwt, quay/quay-rhel8:1775169155, quay/quay-rhel8:1775253092, fence-agents, rhelai3/bootc-aws-cuda-rhel9:1776871984. Resolved in Red Hat advisory RHSA-2026:13508 — update the affected packages (`sudo dnf update`).
- ansible-automation-platform-26/lightspeed-chatbot-rhel9:1777398576
- python3.12-pyjwt-0:2.12.1-1.el8ap
- python3.12-pyjwt-0:2.12.1-1.el9ap
- ansible-automation-platform-26/lightspeed-rhel9:1777387242
- quay/quay-rhel8:1775169155
- quay/quay-rhel8:1775253092
- fence-agents-0:4.10.0-98.el9_7.12
- rhelai3/bootc-aws-cuda-rhel9:1776871984
- satellite/iop-host-inventory-rhel9:1780414237
- fence-agents-0:4.10.0-62.el9_4.24
- ansible-automation-platform-26/hub-rhel9:1777299023
- automation-controller-0:4.7.11-2.el9ap
Official advisory · high-confidence parse· fetched 2 hours ago·verify at source
- RHSA-2026:13508
Official advisory · high-confidence parse· fetched 2 hours ago·verify at source
Mitigation checklist
- Update the affected package(s) to the fixed version shipped in RHSA-2026:13508 (`sudo dnf update` / `yum update`).
Official advisory · high-confidence parse· fetched 2 hours ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.