Authentication Bypass in JwtAuthenticator of pac4j-jwt by pac4j
CVE-2026-29000

9.3CRITICAL

Key Information:

Vendor

Pac4j

Status
Pac4j-jwt
Vendor
CVE Published:
4 March 2026

Badges

πŸ“ˆ Score: 677πŸ‘Ύ Exploit Exists🟑 Public PoC

What is CVE-2026-29000?

CVE-2026-29000 is a critical vulnerability identified in the JwtAuthenticator component of the pac4j-jwt library by Pac4j. This library is widely utilized for securing applications through JSON Web Token (JWT) authentication, which is a common method for transmitting information between parties in a secure and verifiable manner. The vulnerability allows remote attackers to bypass authentication processes by forging authentication tokens. When exploited, this flaw enables attackers who possess the server's RSA public key to create fraudulent JWE-wrapped tokens containing arbitrary claims, effectively allowing them to authenticate as any user, including administrators. This undermines the integrity and security of the authentication mechanism, posing significant risks to organizations that rely on this software for secure access control.

Potential impact of CVE-2026-29000

  1. Unauthorized Access: The vulnerability permits attackers to impersonate any user within the system, including those with administrative privileges. This unauthorized access could lead to malicious activities such as data theft, modification of sensitive information, or manipulation of system settings.

  2. Compromise of Sensitive Data: Given that attackers can authenticate as any user, they may gain access to confidential data stored within the application. This could lead to severe data leaks, impacting both organizational privacy and compliance with data protection regulations.

  3. Exploitation in The Wild: There have been indications that this vulnerability could be actively exploited in cyber attacks. The potential for exploitation emphasizes the urgency of addressing the vulnerability, as it could facilitate further attacks, including the deployment of ransomware or other malicious payloads targeting involved systems.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

pac4j-jwt 4.0 < 4.5.9

pac4j-jwt 5.0 < 5.7.9

pac4j-jwt 6.0 < 6.3.3

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-29000 - Proof of Concept

CVE-2026-29000
Created by kernelzeroday

CVE-2026-29000---pac4j-jwt-Authentication-Bypass-PoC
Created by manbahadurthapa1248

References

https://www.pac4j.org/blog/security-advisory-pac4j-jwt-jw...
vendor-advisory
https://www.codeant.ai/security-research/pac4j-jwt-authen...
technical-descriptionexploit
https://www.vulncheck.com/advisories/pac4j-jwt-jwtauthent...
third-party-advisory

CVSS V4

Score:
9.3
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • 🟑

    Public PoC available

  • πŸ‘Ύ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

CodeAnt AI Security
JSON
.