This release includes 6 security fixes for security teams reviewing exposed deployments.
Topics
+12 more
Affected surfaces
ReleasePort's take
Light signalThe release upgrades pyjwt to v2.13.0 and idna to v3.15, fixing multiple vulnerabilities.
Why it matters: CVE-2026-45409 in idna is resolved; operators should upgrade dependencies immediately.
Summary
AI summaryUpdates GHSA-xgmm-8j9v-c9wx, GHSA-jq35-7prp-9v3f, and GHSA-w7vc-732c-9m39 across a mixed release.
Changes in this release
| Type | Severity | Summary | CVE |
|---|---|---|---|
| Security | High |
Fixes GHSA-xgmm-8j9v-c9wx: JWK JSON accepted as HMAC secret causing algorithm confusion. Fixes GHSA-xgmm-8j9v-c9wx: JWK JSON accepted as HMAC secret causing algorithm confusion. Source: granite4.1:30b@2026-05-22-audit Confidence: low |
— |
| Security | High |
Fixes GHSA-jq35-7prp-9v3f: Algorithm allow-list bypass with PyJWK / PyJWKClient. Fixes GHSA-jq35-7prp-9v3f: Algorithm allow-list bypass with PyJWK / PyJWKClient. Source: granite4.1:30b@2026-05-22-audit Confidence: low |
— |
| Security | High |
Fixes GHSA-w7vc-732c-9m39: Denial-of-service via base64 decode of unused payload segment when b64=false. Fixes GHSA-w7vc-732c-9m39: Denial-of-service via base64 decode of unused payload segment when b64=false. Source: granite4.1:30b@2026-05-22-audit Confidence: low |
— |
| Security | High |
Fixes GHSA-993g-76c3-p5m4: PyJWKClient accepts non-HTTP(S) URIs. Fixes GHSA-993g-76c3-p5m4: PyJWKClient accepts non-HTTP(S) URIs. Source: granite4.1:30b@2026-05-22-audit Confidence: low |
— |
| Security | High |
Fixes GHSA-fhv5-28vv-h8m8: PyJWKClient cache wiped on fetch error. Fixes GHSA-fhv5-28vv-h8m8: PyJWKClient cache wiped on fetch error. Source: granite4.1:30b@2026-05-22-audit Confidence: low |
— |
| Security | High |
Resolves CVE-2026-45409: idna.encode() can cause denial-of-service with crafted inputs. Resolves CVE-2026-45409: idna.encode() can cause denial-of-service with crafted inputs. Source: granite4.1:30b@2026-05-22-audit Confidence: low |
— |
| Security | Medium |
Upgraded idna to v3.15 resolves CVE-2026-45409. Upgraded idna to v3.15 resolves CVE-2026-45409. Source: llm_adapter@2026-05-22 Confidence: high |
— |
| Security | Medium |
Upgraded pyjwt to v2.13.0 fixes multiple vulnerabilities. Upgraded pyjwt to v2.13.0 fixes multiple vulnerabilities. Source: llm_adapter@2026-05-22 Confidence: low |
— |
| Security | Medium |
Upgraded pyjwt to version 2.13.0. Upgraded pyjwt to version 2.13.0. Source: granite4.1:30b@2026-05-22-audit Confidence: low |
— |
Full changelog
What's Changed
- Upgraded pyjwt to v2.13.0 by @NyanKiyoshi in https://github.com/saleor/saleor/pull/19234 - fixes:
- GHSA-xgmm-8j9v-c9wx: JWK JSON accepted as HMAC secret (algorithm confusion)
- GHSA-jq35-7prp-9v3f: Algorithm allow-list bypass with PyJWK / PyJWKClient
- GHSA-w7vc-732c-9m39: DoS via base64 decode of unused payload segment when b64=false
- GHSA-993g-76c3-p5m4: PyJWKClient accepts non-HTTP(S) URIs
- GHSA-fhv5-28vv-h8m8: PyJWKClient cache wiped on fetch error
- Upgraded idna to v3.15 to fix CVE-2026-45409 - specially crafted inputs to idna.encode() can lead to DoS - by @NyanKiyoshi in https://github.com/saleor/saleor/pull/19234
Full Changelog: https://github.com/saleor/saleor/compare/3.22.50...3.22.51
Security Fixes
- GHSA-xgmm-8j9v-c9wx: JWK JSON accepted as HMAC secret causing algorithm confusion
- GHSA-jq35-7prp-9v3f: Algorithm allow-list bypass with PyJWK / PyJWKClient
- GHSA-w7vc-732c-9m39: DoS via base64 decode of unused payload segment when b64=false
- GHSA-993g-76c3-p5m4: PyJWKClient accepts non-HTTP(S) URIs
- GHSA-fhv5-28vv-h8m8: PyJWKClient cache wiped on fetch error
- CVE-2026-45409 (idna v3.15): specially crafted inputs to idna.encode() can lead to DoS
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
Beta — feedback welcome: [email protected]