CVE-2026-33204 | THREATINT

Description

SimpleJWT is a simple JSON web token library written in PHP. Prior to version 1.1.1, an unauthenticated attacker can perform a Denial of Service via JWE header tampering when PBES2 algorithms are used. Applications that call JWE::decrypt() on attacker-controlled JWEs using PBES2 algorithms are affected. This issue has been patched in version 1.1.1.

PUBLISHED Reserved 2026-03-17 | Published 2026-03-20 | Updated 2026-03-24 | Assigner GitHub_M

HIGH: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Problem types

CWE-400: Uncontrolled Resource Consumption

Product status

< 1.1.1

affected

References

github.com/...plejwt/security/advisories/GHSA-xw36-67f8-339x

github.com/kelvinmo/simplejwt/releases/tag/v1.1.1

cve.org (CVE-2026-33204)

nvd.nist.gov (CVE-2026-33204)

Download JSON