CVE-2026-29000

pac4j-jwt versions prior to 4.5.9, 5.7.9, and 6.3.3 contain an authentication bypass vulnerability in JwtAuthenticator when processing encrypted JWTs that allows remote attackers to forge authentication tokens. Attackers who possess the server's RSA public key can create a JWE-wrapped PlainJWT with arbitrary subject and role claims, bypassing signature verification to authenticate as any user including administrators.

CVSS v3 9.1 CRITICAL

9.1^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://www.codeant.ai/security-research/pac4j-jwt-authentication-bypass-public-key
https://www.pac4j.org/blog/security-advisory-pac4j-jwt-jwtauthenticator.html
https://www.vulncheck.com/advisories/pac4j-jwt-jwtauthenticator-authentication-bypass

Configurations

No configuration.

History

10 Mar 2026, 20:16

Type	Values Removed	Values Added
Summary		(es) Las versiones de pac4j-jwt anteriores a la 4.5.9, 5.7.9 y 6.3.3 contienen una vulnerabilidad de omisión de autenticación en JwtAuthenticator al procesar JWT cifrados que permite a atacantes remotos falsificar tokens de autenticación. Los atacantes que poseen la clave pública RSA del servidor pueden crear un PlainJWT envuelto en JWE con reclamaciones de sujeto y rol arbitrarias, omitiendo la verificación de firma para autenticarse como cualquier usuario, incluidos los administradores.
CVSS	v2 : ~~unknown~~ v3 : ~~10.0~~	v2 : unknown v3 : 9.1

04 Mar 2026, 22:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-04 22:16

Updated : 2026-04-16 16:18

NVD link : CVE-2026-29000

Mitre link : CVE-2026-29000

CVE.ORG link : CVE-2026-29000

JSON object : View

Products Affected

No product.

CWE

CWE-347

Improper Verification of Cryptographic Signature

{"id": "CVE-2026-29000", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "disclosure@vulncheck.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-04T22:16:18.783", "references": [{"url": "https://www.codeant.ai/security-research/pac4j-jwt-authentication-bypass-public-key", "source": "disclosure@vulncheck.com"}, {"url": "https://www.pac4j.org/blog/security-advisory-pac4j-jwt-jwtauthenticator.html", "source": "disclosure@vulncheck.com"}, {"url": "https://www.vulncheck.com/advisories/pac4j-jwt-jwtauthenticator-authentication-bypass", "source": "disclosure@vulncheck.com"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "description": [{"lang": "en", "value": "CWE-347"}]}], "descriptions": [{"lang": "en", "value": "pac4j-jwt versions prior to 4.5.9, 5.7.9, and 6.3.3 contain an authentication bypass vulnerability in JwtAuthenticator when processing encrypted JWTs that allows remote attackers to forge authentication tokens. Attackers who possess the server's RSA public key can create a JWE-wrapped PlainJWT with arbitrary subject and role claims, bypassing signature verification to authenticate as any user including administrators."}, {"lang": "es", "value": "Las versiones de pac4j-jwt anteriores a la 4.5.9, 5.7.9 y 6.3.3 contienen una vulnerabilidad de omisi\u00f3n de autenticaci\u00f3n en JwtAuthenticator al procesar JWT cifrados que permite a atacantes remotos falsificar tokens de autenticaci\u00f3n. Los atacantes que poseen la clave p\u00fablica RSA del servidor pueden crear un PlainJWT envuelto en JWE con reclamaciones de sujeto y rol arbitrarias, omitiendo la verificaci\u00f3n de firma para autenticarse como cualquier usuario, incluidos los administradores."}], "lastModified": "2026-04-16T16:18:36.200", "sourceIdentifier": "disclosure@vulncheck.com"}