Home

Description

pac4j-jwt versions prior to 4.5.9, 5.7.9, and 6.3.3 contain an authentication bypass vulnerability in JwtAuthenticator when processing encrypted JWTs that allows remote attackers to forge authentication tokens. Attackers who possess the server's RSA public key can create a JWE-wrapped PlainJWT with arbitrary subject and role claims, bypassing signature verification to authenticate as any user including administrators.

PUBLISHED Reserved 2026-03-03 | Published 2026-03-04 | Updated 2026-03-07 | Assigner VulnCheck




CRITICAL: 10.0CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L

CRITICAL: 10.0CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L

Problem types

CWE-347 Improper Verification of Cryptographic Signature

Product status

Default status
unaffected

4.0 (semver) before 4.5.9
affected

5.0 (semver) before 5.7.9
affected

6.0 (semver) before 6.3.3
affected

Credits

CodeAnt AI Security finder

References

www.pac4j.org/...ty-advisory-pac4j-jwt-jwtauthenticator.html vendor-advisory

www.codeant.ai/...pac4j-jwt-authentication-bypass-public-key technical-description exploit

www.vulncheck.com/...-jwtauthenticator-authentication-bypass third-party-advisory

cve.org (CVE-2026-29000)

nvd.nist.gov (CVE-2026-29000)

Download JSON