## GitHub Dependabot Alert #345: PyJWT <=2.11.0 Exposed to Critical CVE-2026-32597 Vulnerability
A critical security vulnerability in the PyJWT library has triggered an active Dependabot alert within a GitHub repository, exposing the codebase to a potential header parameter validation bypass. The alert, designated #345, flags all versions of PyJWT up to and including 2.11.0 as vulnerable to CVE-2026-32597, a flaw with a CVSS severity score of 7.5. The fix is available in PyJWT version 2.12.0 and later, with 2.12.1 being the latest stable release. This creates an immediate security debt that must be addressed through manual dependency management.

The vulnerability is present because PyJWT is a transitive dependency, pulled into the project indirectly by `gidgethub`. Consequently, it appears in two generated lockfiles—`py/deps/requirements.txt` and `ci/requirements.txt`—but is not listed as a direct constraint in the source file `py/deps/requirements.in`. This configuration has prevented Dependabot's automated resolution tools from applying the necessary update, as they cannot execute the `pip-compile --generate-hashes` command required to regenerate the hashed lockfiles.

To remediate the risk, a developer has been tasked with a specific two-step plan. First, they must explicitly add `pyjwt[crypto]>=2.12.1` as a direct dependency constraint in `py/deps/requirements.in`. Second, they must manually regenerate the affected lockfiles to enforce the secure version across the project's development and continuous integration environments. This manual override is necessary to close the security gap that automated tooling cannot currently resolve, highlighting a potential weakness in dependency management workflows for projects using hash-pinned requirements.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: cybersecurity, vulnerability, dependency-management, github, python
- **Credibility**: unverified
- **Published**: 2026-04-01 22:27:16
- **ID**: 46131
- **URL**: https://whisperx.ai/en/intel/46131