cbcvebase.
CVE-2026-29000
published 2026-03-04

CVE-2026-29000: pac4j-jwt versions prior to 4.5.9, 5.7.9, and 6.3.3 contain an authentication bypass vulnerability in JwtAuthenticator when processing encrypted JWTs that…

PriorityP273critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EPSS
5.86%
92.3th percentile
pac4j-jwt versions prior to 4.5.9, 5.7.9, and 6.3.3 contain an authentication bypass vulnerability in JwtAuthenticator when processing encrypted JWTs that allows remote attackers to forge authentication tokens. Attackers who possess the server's RSA public key can create a JWE-wrapped PlainJWT with arbitrary subject and role claims, bypassing signature verification to authenticate as any user including administrators.

Affected

3 ranges
VendorProductVersion rangeFixed in
pac4jpac4j-jwt>= 4.0 < 4.5.94.5.9
pac4jpac4j-jwt>= 5.0 < 5.7.95.7.9
pac4jpac4j-jwt>= 6.0 < 6.3.36.3.3

Detection & IOCsextracted from sources · hover to see the quote

  • Detect JWE-wrapped PlainJWT tokens in authentication flows — a JWT with 'alg: none' or no signature wrapped inside a JWE structure is a strong indicator of exploitation attempt against CVE-2026-29000
  • Monitor JwtAuthenticator processing paths in pac4j-jwt for tokens that are encrypted (JWE) but contain an unsigned/plain inner JWT — this combination should never appear in legitimate traffic
  • Alert on authentication events where elevated role claims (e.g., admin) are asserted via JWT but the token lacks a valid signature — indicative of forged tokens exploiting this bypass
  • ·Vulnerable versions of org.pac4j:pac4j-jwt are prior to 4.5.9, 5.7.9, and 6.3.3 — deployments on any of these branches must be patched to the respective fixed version
  • ·The attack requires the attacker to possess the server's RSA public key; environments where the RSA public key is not publicly exposed reduce (but do not eliminate) exploitability
  • ·A public exploit exists for this CVE (CVSS 9.3 CRITICAL); prioritize patching and detection given confirmed exploit availability

CVSS provenance

nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.