{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33204", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T23:23:58.312Z", "datePublished": "2026-03-20T22:37:13.411Z", "dateUpdated": "2026-03-20T22:37:13.411Z"}, "containers": {"cna": {"title": "SimpleJWT has an Unauthenticated Denial of Service via JWE header tampering", "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "lang": "en", "description": "CWE-400: Uncontrolled Resource Consumption", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/kelvinmo/simplejwt/security/advisories/GHSA-xw36-67f8-339x", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/kelvinmo/simplejwt/security/advisories/GHSA-xw36-67f8-339x"}, {"name": "https://github.com/kelvinmo/simplejwt/releases/tag/v1.1.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/kelvinmo/simplejwt/releases/tag/v1.1.1"}], "affected": [{"vendor": "kelvinmo", "product": "simplejwt", "versions": [{"version": "< 1.1.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T22:37:13.411Z"}, "descriptions": [{"lang": "en", "value": "SimpleJWT is a simple JSON web token library written in PHP. Prior to version 1.1.1, an unauthenticated attacker can perform a Denial of Service via JWE header tampering when PBES2 algorithms are used. Applications that call JWE::decrypt() on attacker-controlled JWEs using PBES2 algorithms are affected. This issue has been patched in version 1.1.1."}], "source": {"advisory": "GHSA-xw36-67f8-339x", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "SimpleJWT is a simple JSON web token library written in PHP. Prior to version 1.1.1, an unauthenticated attacker can perform a Denial of Service via JWE header tampering when PBES2 algorithms are used. Applications that call JWE::decrypt() on attacker-controlled JWEs using PBES2 algorithms are affected. This issue has been patched in version 1.1.1."}], "id": "CVE-2026-33204", "lastModified": "2026-03-23T14:32:02.800", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-20T23:16:45.677", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/kelvinmo/simplejwt/releases/tag/v1.1.1"}, {"source": "security-advisories@github.com", "url": "https://github.com/kelvinmo/simplejwt/security/advisories/GHSA-xw36-67f8-339x"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "SimpleJWT: SimpleJWT: Denial of Service via JWE header tampering", "id": "2449822", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2449822"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.9", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-325", "details": ["A flaw was found in SimpleJWT, a PHP library for JSON Web Tokens. An unauthenticated attacker can exploit this vulnerability by tampering with JSON Web Encryption (JWE) headers when Password-Based Key Derivation Function 2 (PBES2) algorithms are in use. This can lead to a Denial of Service (DoS) if an application calls JWE::decrypt() on attacker-controlled JWEs, making the affected application unavailable."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2026-33204", "package_state": [{"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Fix deferred", "package_name": "python3.11-djangorestframework-simplejwt", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Fix deferred", "package_name": "python3.12-djangorestframework-simplejwt", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Fix deferred", "package_name": "python3x-djangorestframework-simplejwt", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Fix deferred", "package_name": "python-djangorestframework-simplejwt", "product_name": "Red Hat Ansible Automation Platform 2"}], "public_date": "2026-03-20T22:37:13Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-33204\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-33204\nhttps://github.com/kelvinmo/simplejwt/releases/tag/v1.1.1\nhttps://github.com/kelvinmo/simplejwt/security/advisories/GHSA-xw36-67f8-339x"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.1.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "product": "simplejwt", "vendor": "kelvin_mo"}], "created": "2026-03-23T09:52:23.385733+00:00", "updated": "2026-03-23T09:52:23.385811+00:00", "vendors": ["kelvin_mo", "kelvin_mo$PRODUCT$simplejwt"]}