When jwt is enabled via env/config, tokens are accepted without verification. I tested this with expired but otherwise valid tokens. The token is decoded with jwt.decode(access_token, verify=False). As far as I understand, this means that any token would be accepted, since the signature is not checked with a public key/certificate.

So you could just change the username in the token and sign it with an arbitrary key to impersonate any user.