Home / Vulnerability Intelligence / CVE-2026-29000

CVE-2026-29000 - Vulnerability Analysis

CriticalCVSS: 10.0

Last Updated: March 4, 2026

pac4j-jwt - Authentication Bypass

Published: March 4, 2026Updated: March 4, 2026Remote Exploitable

Overview

pac4j-jwt < 4.5.9, < 5.7.9, and < 6.3.3 contain an authentication bypass caused by improper verification of encrypted JWTs in JwtAuthenticator, letting remote attackers forge authentication tokens, exploit requires possession of server's RSA public key.

Severity & Score

Severity: Critical

CVSS Score: 10.0

Impact

Remote attackers can forge authentication tokens to impersonate any user, including administrators, leading to full authentication bypass.

Mitigation

Upgrade to versions 4.5.9, 5.7.9, 6.3.3 or later.

References

https://www.codeant.ai/security-research/pac4j-jwt-authentication-bypass-public-key
https://www.pac4j.org/blog/security-advisory-pac4j-jwt-jwtauthenticator.html
https://www.vulncheck.com/advisories/pac4j-jwt-jwtauthenticator-authentication-bypass

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-29000
Severity: Critical
CVSS Score: 10.0
Type: broken_authentication
Status: new

CWE

CWE-347

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L