CVE-2026-29000

critical

Description

pac4j-jwt versions prior to 4.5.9, 5.7.9, and 6.3.3 contain an authentication bypass vulnerability in JwtAuthenticator when processing encrypted JWTs that allows remote attackers to forge authentication tokens. Attackers who possess the server's RSA public key can create a JWE-wrapped PlainJWT with arbitrary subject and role claims, bypassing signature verification to authenticate as any user including administrators.

References

https://www.pac4j.org/blog/security-advisory-pac4j-jwt-jwtauthenticator.html

https://www.codeant.ai/security-research/pac4j-jwt-authentication-bypass-public-key

https://www.vulncheck.com/advisories/pac4j-jwt-jwtauthenticator-authentication-bypass

Details

Source: Mitre, NVD

Published: 2026-03-04

Updated: 2026-03-04

Risk Information

CVSS v2

Base Score: 9.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:P

Severity: High

CVSS v3

Base Score: 10

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L

Severity: Critical

CVSS v4

Base Score: 10

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L

Severity: Critical