CVE-2026-27932 – This vulnerability allows unauthenticated attac... (How to Fix)

Q: What is the severity of CVE-2026-27932?

CVE-2026-27932 has a CVSS score of 7.5 (HIGH). This vulnerability allows unauthenticated attackers to cause CPU exhaustion denial-of-service by sending specially crafted JWE tokens with extremely high PBKDF2 iteration counts. It affects all applications using joserfc Python library version 1.6.2 or earlier that allow PBES2 encryption algorithms. The vulnerability exists at the JWA layer and impacts JWE/JWT decryption interfaces.

📋 TL;DR

This vulnerability allows unauthenticated attackers to cause CPU exhaustion denial-of-service by sending specially crafted JWE tokens with extremely high PBKDF2 iteration counts. It affects all applications using joserfc Python library version 1.6.2 or earlier that allow PBES2 encryption algorithms. The vulnerability exists at the JWA layer and impacts JWE/JWT decryption interfaces.

💻 Affected Systems

Products:

joserfc Python library

Versions: 1.6.2 and earlier

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only vulnerable if PBES2 algorithms (PBES2-HS256+A128KW, PBES2-HS384+A192KW, PBES2-HS512+A256KW) are enabled in application policy.

📦 What is this software?

Joserfc by Hsiaoming

View all CVEs affecting Joserfc →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service unavailability due to CPU exhaustion, potentially affecting multiple services on shared infrastructure.

🟠

Likely Case

Degraded performance or temporary service disruption for affected endpoints processing JWE tokens.

🟢

If Mitigated

Minimal impact if PBES2 algorithms are disabled or iteration limits are enforced.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only crafting a JWE token with high p2c value and sending it to vulnerable endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.6.3

Vendor Advisory: https://github.com/authlib/joserfc/security/advisories/GHSA-w5r5-m38g-f9f9

Restart Required: No

Instructions:

1. Update joserfc: pip install --upgrade joserfc>=1.6.3
2. Verify installation: pip show joserfc
3. Restart any services using joserfc

🔧 Temporary Workarounds

Disable PBES2 algorithms

all

Configure application to disallow PBES2 encryption algorithms in JWE/JWT processing

Implement rate limiting

all

Add rate limiting on JWE/JWT decryption endpoints to limit impact

🧯 If You Can't Patch

Disable PBES2 algorithms in application configuration
Implement WAF rules to block JWE tokens with p2c values above reasonable threshold (e.g., > 100000)

🔍 How to Verify

Check if Vulnerable:

Check joserfc version: pip show joserfc | grep Version

Check Version:

pip show joserfc | grep Version

Verify Fix Applied:

Verify version is 1.6.3 or higher: pip show joserfc | grep Version

📡 Detection & Monitoring

Log Indicators:

High CPU usage spikes on JWE/JWT processing endpoints
Long processing times for JWE tokens
Multiple failed decryption attempts with high iteration counts

Network Indicators:

Incoming JWE tokens with unusually large p2c values in headers
Spike in traffic to authentication/decryption endpoints

SIEM Query:

source="application.logs" AND ("PBES2" OR "p2c") AND (value>100000 OR "high iteration")

📊 Metadata

CVE ID: CVE-2026-27932

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-770

Published: March 3, 2026

Last Updated: March 5, 2026

🔗 References

https://github.com/authlib/joserfc/commit/696a9611ab982c45ee2190ed79ca8e1d8e09398f Patch
https://github.com/authlib/joserfc/security/advisories/GHSA-w5r5-m38g-f9f9 Exploit,Mitigation,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-27932, you might also want to check these: