diff --git a/changelog/4035.security.md b/changelog/4035.security.md new file mode 100644 index 000000000..9ffc17305 --- /dev/null +++ b/changelog/4035.security.md @@ -0,0 +1 @@ +- Bumped PyJWT minimum version from 2.10.1 to 2.12.0 in the `livekit` extra to address CVE-2026-32597 (GHSA-752w-5fwx-jx9f), where PyJWT <= 2.11.0 accepted unknown `crit` header extensions.