diff --git a/agent_requirements.in b/agent_requirements.in
index 354be701265a6..93dbf1e85269c 100644
--- a/agent_requirements.in
+++ b/agent_requirements.in
@@ -35,7 +35,7 @@ psutil==6.0.0
 psycopg[c,pool]==3.3.3
 pyasn1==0.4.8
 pydantic==2.12.5
-pyjwt==2.11.0
+pyjwt==2.12.1
 pymongo[srv]==4.8.0; python_version >= '3.9'
 pymqi==1.12.13
 pymysql==1.1.2
diff --git a/datadog_checks_base/changelog.d/23065.fixed b/datadog_checks_base/changelog.d/23065.fixed
new file mode 100644
index 0000000000000..a66b1c479e6bd
--- /dev/null
+++ b/datadog_checks_base/changelog.d/23065.fixed
@@ -0,0 +1 @@
+Bump PyJWT to 2.12.1 to address CVE-2026-32597.
diff --git a/datadog_checks_base/pyproject.toml b/datadog_checks_base/pyproject.toml
index 034181eb3493a..ac56acd06407b 100644
--- a/datadog_checks_base/pyproject.toml
+++ b/datadog_checks_base/pyproject.toml
@@ -57,7 +57,7 @@ http = [
     "aws-requests-auth==0.4.3",
     "botocore==1.42.54",
     "oauthlib==3.3.1",
-    "pyjwt==2.11.0",
+    "pyjwt==2.12.1",
     "pyopenssl==25.3.0",
     "pysocks==1.7.1",
     "requests-kerberos==0.15.0",