CVE-2026-29000 - Vulnerability Analysis
CriticalCVSS: 10.0Last Updated: March 5, 2026
pac4j-jwt - Authentication Bypass
Overview
pac4j-jwt < 4.5.9, < 5.7.9, and < 6.3.3 contain an authentication bypass caused by improper verification of encrypted JWTs in JwtAuthenticator, letting remote attackers forge authentication tokens, exploit requires possession of server's RSA public key.
Severity & Score
Impact
Remote attackers can forge authentication tokens to impersonate any user, including administrators, leading to full authentication bypass.
Mitigation
Upgrade to versions 4.5.9, 5.7.9, 6.3.3 or later.
References
Social Media Activity(1 post)
Critical Authentication Bypass in pac4j-jwt Library Allows Full User Impersonation A critical authentication bypass vulnerability (CVE-2026-29000) in the pac4j-jwt Java library allows attackers to impersonate any user by forging encrypted but unsigned tokens. The flaw is caused by a logic error in JwtAuthenticator that skips signature verification when a token is wrapped in an RSA-encrypted envelope. **If your Java applications use pac4j-jwt, this is urgent! Update to the latest patched versions immediately because there is no practical way to hide your app from the internet, and the exploit is trivial - it will be exploited in a matter of days.** #cybersecurity #infosec #advisory #vulnerability https://beyondmachines.net/event_details/critical-authentication-bypass-in-pac4j-jwt-library-allows-full-user-impersonation-f-h-1-h-f/gD2P6Ple2L
View original postGitHub Repositories(1 repo)
Related Resources
Details
- CVE ID
- CVE-2026-29000
- Severity
- Critical
- CVSS Score
- 10.0
- Type
- broken_authentication
- Status
- unconfirmed
- EPSS
- 23.8%
- Social Posts
- 1
CWE
- CWE-347
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L