diff --git a/agent_requirements.in b/agent_requirements.in
index db534655da9c3..d0113f258a265 100644
--- a/agent_requirements.in
+++ b/agent_requirements.in
@@ -34,7 +34,7 @@ psutil==6.0.0
 psycopg[c,pool]==3.2.10
 pyasn1==0.4.8
 pydantic==2.11.7
-pyjwt==2.10.1
+pyjwt==2.12.1
 pymongo[srv]==4.8.0; python_version >= '3.9'
 pymqi==1.12.11
 pymysql==1.1.2
diff --git a/datadog_checks_base/changelog.d/23064.fixed b/datadog_checks_base/changelog.d/23064.fixed
new file mode 100644
index 0000000000000..a66b1c479e6bd
--- /dev/null
+++ b/datadog_checks_base/changelog.d/23064.fixed
@@ -0,0 +1 @@
+Bump PyJWT to 2.12.1 to address CVE-2026-32597.
diff --git a/datadog_checks_base/pyproject.toml b/datadog_checks_base/pyproject.toml
index 6c66cefb774ad..6048d90e10299 100644
--- a/datadog_checks_base/pyproject.toml
+++ b/datadog_checks_base/pyproject.toml
@@ -57,7 +57,7 @@ http = [
     "aws-requests-auth==0.4.3",
     "botocore==1.40.21",
     "oauthlib==3.3.1",
-    "pyjwt==2.10.1",
+    "pyjwt==2.12.1",
     "pyopenssl==25.3.0",
     "pysocks==1.7.1",
     "requests-kerberos==0.15.0",