python-jose thru 3.3.0 allows JWT tokens with alg=none to be decoded and accepted without any cryptographic signature verification. A malicious actor can craft a forged token with arbitrary claims (e.g., is_admin=true) and bypass authentication checks, leading to privilege escalation or unauthorized access in applications that rely on python-jose for token validation. This issue is exploitable unless developers explicitly reject alg=none tokens, which is not enforced by the library.
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.