{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33204", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T23:23:58.312Z", "datePublished": "2026-03-20T22:37:13.411Z", "dateUpdated": "2026-03-24T15:34:35.165Z"}, "containers": {"cna": {"title": "SimpleJWT has an Unauthenticated Denial of Service via JWE header tampering", "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "lang": "en", "description": "CWE-400: Uncontrolled Resource Consumption", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/kelvinmo/simplejwt/security/advisories/GHSA-xw36-67f8-339x", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/kelvinmo/simplejwt/security/advisories/GHSA-xw36-67f8-339x"}, {"name": "https://github.com/kelvinmo/simplejwt/releases/tag/v1.1.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/kelvinmo/simplejwt/releases/tag/v1.1.1"}], "affected": [{"vendor": "kelvinmo", "product": "simplejwt", "versions": [{"version": "< 1.1.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T22:37:13.411Z"}, "descriptions": [{"lang": "en", "value": "SimpleJWT is a simple JSON web token library written in PHP. Prior to version 1.1.1, an unauthenticated attacker can perform a Denial of Service via JWE header tampering when PBES2 algorithms are used. Applications that call JWE::decrypt() on attacker-controlled JWEs using PBES2 algorithms are affected. This issue has been patched in version 1.1.1."}], "source": {"advisory": "GHSA-xw36-67f8-339x", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-24T15:33:43.475530Z", "id": "CVE-2026-33204", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T15:34:35.165Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33204", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-24T15:33:43.475530Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T15:34:29.369Z"}}], "cna": {"title": "SimpleJWT has an Unauthenticated Denial of Service via JWE header tampering", "source": {"advisory": "GHSA-xw36-67f8-339x", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "kelvinmo", "product": "simplejwt", "versions": [{"status": "affected", "version": "< 1.1.1"}]}], "references": [{"url": "https://github.com/kelvinmo/simplejwt/security/advisories/GHSA-xw36-67f8-339x", "name": "https://github.com/kelvinmo/simplejwt/security/advisories/GHSA-xw36-67f8-339x", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/kelvinmo/simplejwt/releases/tag/v1.1.1", "name": "https://github.com/kelvinmo/simplejwt/releases/tag/v1.1.1", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "SimpleJWT is a simple JSON web token library written in PHP. Prior to version 1.1.1, an unauthenticated attacker can perform a Denial of Service via JWE header tampering when PBES2 algorithms are used. Applications that call JWE::decrypt() on attacker-controlled JWEs using PBES2 algorithms are affected. This issue has been patched in version 1.1.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-400", "description": "CWE-400: Uncontrolled Resource Consumption"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T22:37:13.411Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33204", "state": "PUBLISHED", "dateUpdated": "2026-03-24T15:34:35.165Z", "dateReserved": "2026-03-17T23:23:58.312Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-20T22:37:13.411Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:kelvinmo:simplejwt:*:*:*:*:*:*:*:*", "matchCriteriaId": "FF560E9F-8D50-4B6F-84FF-B63FAB5BD2D0", "versionEndExcluding": "1.1.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "SimpleJWT is a simple JSON web token library written in PHP. Prior to version 1.1.1, an unauthenticated attacker can perform a Denial of Service via JWE header tampering when PBES2 algorithms are used. Applications that call JWE::decrypt() on attacker-controlled JWEs using PBES2 algorithms are affected. This issue has been patched in version 1.1.1."}, {"lang": "es", "value": "SimpleJWT es una sencilla biblioteca de tokens web JSON escrita en PHP. Antes de la versi\u00f3n 1.1.1, un atacante no autenticado puede realizar una denegaci\u00f3n de servicio mediante la manipulaci\u00f3n del encabezado JWE cuando se utilizan algoritmos PBES2. Las aplicaciones que llaman a JWE::decrypt() en JWEs controlados por el atacante utilizando algoritmos PBES2 se ven afectadas. Este problema ha sido parcheado en la versi\u00f3n 1.1.1."}], "id": "CVE-2026-33204", "lastModified": "2026-04-10T01:25:08.487", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-20T23:16:45.677", "references": [{"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/kelvinmo/simplejwt/releases/tag/v1.1.1"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/kelvinmo/simplejwt/security/advisories/GHSA-xw36-67f8-339x"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "SimpleJWT: SimpleJWT: Denial of Service via JWE header tampering", "id": "2449822", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2449822"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.9", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-325", "details": ["A flaw was found in SimpleJWT, a PHP library for JSON Web Tokens. An unauthenticated attacker can exploit this vulnerability by tampering with JSON Web Encryption (JWE) headers when Password-Based Key Derivation Function 2 (PBES2) algorithms are in use. This can lead to a Denial of Service (DoS) if an application calls JWE::decrypt() on attacker-controlled JWEs, making the affected application unavailable."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2026-33204", "package_state": [{"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Fix deferred", "package_name": "python3.11-djangorestframework-simplejwt", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Fix deferred", "package_name": "python3.12-djangorestframework-simplejwt", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Fix deferred", "package_name": "python3x-djangorestframework-simplejwt", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Fix deferred", "package_name": "python-djangorestframework-simplejwt", "product_name": "Red Hat Ansible Automation Platform 2"}], "public_date": "2026-03-20T22:37:13Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-33204\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-33204\nhttps://github.com/kelvinmo/simplejwt/releases/tag/v1.1.1\nhttps://github.com/kelvinmo/simplejwt/security/advisories/GHSA-xw36-67f8-339x"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.1.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "product": "simplejwt", "vendor": "kelvin_mo"}], "analysis": {"en": {"generated_at": "2026-04-10T02:29:12.964768+00:00", "value": {"mitigation_remediation": ["Apply version 1.1.1 or later of SimpleJWT to eliminate the flaw", "Ensure that any remaining usage of PBES2 algorithms is disabled or tightly validated before decryption", "Audit application code to guarantee that JWE::decrypt() is invoked only with trusted, non\u2011attacker\u2011controlled tokens"], "summary": {"action": "Apply Patch", "impact": "Denial of Service (Unauthenticated)"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the SimpleJWT library from Kelvinmo, in all releases before version 1.1.1. Production systems using unsaved or externally supplied JWE tokens with PBES2 algorithms will be impacted.", "description_and_impact": "SimpleJWT, a PHP library for JSON web tokens, allows an attacker to trigger a denial of service by tampering with the JWE header when PBES2 algorithms are used. The flaw lies in the JWE::decrypt() routine, which does not validate the header properly and can be invoked with attacker\u2011controlled tokens. Because the attack does not require authentication, it compromises availability for any application relying on this library.", "risk_and_exploitability": "With a CVSS score of 7.5 and an EPSS score below 1%, the risk is high but the likelihood of exploitation is currently low, as the vulnerability is not listed in CISA KEV. An attacker only needs to supply a crafted JWE header to an application that calls JWE::decrypt(), making exploitation straightforward once the input is under their control."}}}}, "created": "2026-03-23T09:52:23.385733+00:00", "updated": "2026-04-10T09:46:25.331391+00:00", "vendors": ["kelvin_mo", "kelvin_mo$PRODUCT$simplejwt"]}