Skip to content

fix(deps): pin PyJWT to 2.13.0 for CVE-2026-48526#4183

Merged
Jan-Kazlouski-elastic merged 3 commits into
mainfrom
jan-kazlouski/12524-cve-2026-48526-fix
Jul 16, 2026
Merged

fix(deps): pin PyJWT to 2.13.0 for CVE-2026-48526#4183
Jan-Kazlouski-elastic merged 3 commits into
mainfrom
jan-kazlouski/12524-cve-2026-48526-fix

Conversation

@Jan-Kazlouski-elastic

@Jan-Kazlouski-elastic Jan-Kazlouski-elastic commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

Closes https://github.com/elastic/security/issues/12524

(CVE-2026-48526)

Pins transitive PyJWT (via msal / gidgethub) to 2.13.0 so SBOMs resolve past the algorithm-confusion advisory (public-key JWK accepted as HMAC secret when mixed algorithm families are allowed).

Not affected: connectors never calls jwt.decode / mixed-family verification. gidgethub only jwt.encodes GitHub App JWTs (RS256); msal uses jwt.encode for client assertions. Pin is for SBOM hygiene.

Scanner A/B (CVE-2026-48526)

Tool Before After
pip-audit reported clear
Trivy reported clear
Snyk reported clear

Checklists

Pre-Review Checklist

  • this PR does NOT contain credentials of any kind, such as API keys or username/passwords (double check config.yml.example)
  • this PR has a meaningful title
  • this PR links to all relevant github issues that it fixes or partially addresses
  • this PR has a thorough description
  • Covered the changes with automated tests
  • Tested the changes locally
  • Added a label for each target release version (example: v7.13.2, v7.14.0, v8.0.0)
  • For bugfixes: backport safely to all minor branches still receiving patch releases
  • Considered corresponding documentation changes
  • Contributed any configuration settings changes to the configuration reference
  • if you added or changed Rich Configurable Fields for a Native Connector, you made a corresponding PR in Kibana

Changes Requiring Extra Attention

  • Security-related changes (encryption, TLS, SSRF, etc)
  • New external service dependencies added.

Release Note

Pin PyJWT to 2.13.0 to address CVE-2026-48526 in dependency scans.

Made with Cursor

Pin the transitive PyJWT dependency (via msal/gidgethub) to the fixed
release so SBOMs resolve past the algorithm-confusion advisory.

Refs elastic/security#12524

Co-authored-by: Cursor <cursoragent@cursor.com>
@Jan-Kazlouski-elastic
Jan-Kazlouski-elastic enabled auto-merge (squash) July 16, 2026 19:26
@Jan-Kazlouski-elastic
Jan-Kazlouski-elastic merged commit 78f1450 into main Jul 16, 2026
4 checks passed
@Jan-Kazlouski-elastic
Jan-Kazlouski-elastic deleted the jan-kazlouski/12524-cve-2026-48526-fix branch July 16, 2026 21:09
@github-actions

Copy link
Copy Markdown

💔 Failed to create backport PR(s)

Status Branch Result
9.5 #4194
9.3 #4195
9.4 #4196
8.19 Commit could not be cherrypicked due to conflicts

Successful backport PRs will be merged automatically after passing CI.

To backport manually run:
backport --pr 4183 --autoMerge --autoMergeMethod squash

Jan-Kazlouski-elastic added a commit that referenced this pull request Jul 16, 2026
Backports the following commits to 9.3:
 - fix(deps): pin PyJWT to 2.13.0 for CVE-2026-48526 (#4183)

Co-authored-by: Jan-Kazlouski-elastic <jan.kazlouski@elastic.co>
Co-authored-by: Cursor <cursoragent@cursor.com>
Jan-Kazlouski-elastic added a commit that referenced this pull request Jul 16, 2026
Backports the following commits to 9.4:
 - fix(deps): pin PyJWT to 2.13.0 for CVE-2026-48526 (#4183)

Co-authored-by: Jan-Kazlouski-elastic <jan.kazlouski@elastic.co>
Co-authored-by: Cursor <cursoragent@cursor.com>
Jan-Kazlouski-elastic added a commit that referenced this pull request Jul 16, 2026
Backports the following commits to 9.5:
 - fix(deps): pin PyJWT to 2.13.0 for CVE-2026-48526 (#4183)

Co-authored-by: Jan-Kazlouski-elastic <jan.kazlouski@elastic.co>
Co-authored-by: Cursor <cursoragent@cursor.com>
Jan-Kazlouski-elastic added a commit that referenced this pull request Jul 17, 2026
Backports the following commits to 8.19:
 - fix(deps): pin PyJWT to 2.13.0 for CVE-2026-48526 (#4183)

Made with [Cursor](https://cursor.com)

Co-authored-by: Cursor <cursoragent@cursor.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants