CVE-2026-29000
pac4j-jwt JwtAuthenticator Authentication Bypass
In short
A flaw in pac4j-jwt allows attackers to create fake login tokens if they have the server's public key, letting them impersonate any user including administrators. This happens because the library doesn't properly verify encrypted tokens.
Technical detail
JwtAuthenticator in pac4j-jwt versions before 4.5.9, 5.7.9, and 6.3.3 fails to validate signatures on JWE-wrapped PlainJWT tokens. An attacker with access to the server's RSA public key can forge encrypted JWTs with arbitrary subject and role claims, bypassing authentication controls. Exploitation requires knowledge of the public key but no valid credentials.
Summary generated and translated by AI from the official description.
pac4j-jwt versions prior to 4.5.9, 5.7.9, and 6.3.3 contain an authentication bypass vulnerability in JwtAuthenticator when processing encrypted JWTs that allows remote attackers to forge authentication tokens. Attackers who possess the server's RSA public key can create a JWE-wrapped PlainJWT with arbitrary subject and role claims, bypassing signature verification to authenticate as any user including administrators.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
Affected products
pac4j · pac4j-jwtpublic PoCs found — 4
githubgithub.com/tc4dy/CVE-2026-29000-PoC-Exploit★ 2githubgithub.com/c0gnit00/CVE-2026-29000★ 0githubgithub.com/lucastran05/CVE-2026-29000★ 0cve_referencewww.codeant.ai/security-research/pac4j-jwt-authentication-bypass-public-keyunverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →