Skip to content

[9.4] fix(deps): pin PyJWT to 2.13.0 for CVE-2026-48526 (#4183)#4196

Merged
Jan-Kazlouski-elastic merged 1 commit into
9.4from
backport/9.4/pr-4183
Jul 16, 2026
Merged

[9.4] fix(deps): pin PyJWT to 2.13.0 for CVE-2026-48526 (#4183)#4196
Jan-Kazlouski-elastic merged 1 commit into
9.4from
backport/9.4/pr-4183

Conversation

@github-actions

Copy link
Copy Markdown

Backports the following commits to 9.4:

## Closes elastic/security#12524
(CVE-2026-48526)

Pins transitive `PyJWT` (via `msal` / `gidgethub`) to `2.13.0` so SBOMs
resolve past the algorithm-confusion advisory (public-key JWK accepted
as HMAC secret when mixed algorithm families are allowed).

**Not affected:** connectors never calls `jwt.decode` / mixed-family
verification. `gidgethub` only `jwt.encode`s GitHub App JWTs (RS256);
`msal` uses `jwt.encode` for client assertions. Pin is for SBOM hygiene.

### Scanner A/B (`CVE-2026-48526`)

| Tool | Before | After |
|------|--------|-------|
| pip-audit | reported | clear |
| Trivy | reported | clear |
| Snyk | reported | clear |

## Checklists

#### Pre-Review Checklist
- [x] this PR does NOT contain credentials of any kind, such as API keys
or username/passwords (double check `config.yml.example`)
- [x] this PR has a meaningful title
- [x] this PR links to all relevant github issues that it fixes or
partially addresses
- [x] this PR has a thorough description
- [x] Covered the changes with automated tests
- [x] Tested the changes locally
- [x] Added a label for each target release version (example: `v7.13.2`,
`v7.14.0`, `v8.0.0`)
- [x] For bugfixes: backport safely to all minor branches still
receiving patch releases
- [ ] Considered corresponding documentation changes
- [ ] Contributed any configuration settings changes to the
configuration reference
- [ ] if you added or changed Rich Configurable Fields for a Native
Connector, you made a corresponding PR in
[Kibana](https://github.com/elastic/kibana/blob/main/packages/kbn-search-connectors/types/native_connectors.ts)

#### Changes Requiring Extra Attention

- [x] Security-related changes (encryption, TLS, SSRF, etc)
- [ ] New external service dependencies added.

## Release Note

Pin PyJWT to 2.13.0 to address CVE-2026-48526 in dependency scans.

Made with [Cursor](https://cursor.com)

Co-authored-by: Cursor <cursoragent@cursor.com>
@Jan-Kazlouski-elastic
Jan-Kazlouski-elastic enabled auto-merge (squash) July 16, 2026 21:11
@Jan-Kazlouski-elastic
Jan-Kazlouski-elastic merged commit dd8680e into 9.4 Jul 16, 2026
4 checks passed
@Jan-Kazlouski-elastic
Jan-Kazlouski-elastic deleted the backport/9.4/pr-4183 branch July 16, 2026 21:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants