CVE-2026-29000 — pac4j-jwt: JwtAuthenticator Authentication Bypass via JWE-Wrapped PlainJWT

Description

pac4j-jwt versions prior to 4.5.9, 5.7.9, and 6.3.3 contain an authentication bypass vulnerability in JwtAuthenticator when processing encrypted JWTs that allows remote attackers to forge authentication tokens. Attackers who possess the server's RSA public key can create a JWE-wrapped PlainJWT with arbitrary subject and role claims, bypassing signature verification to authenticate as any user including administrators.

How to fix CVE-2026-29000

To remediate CVE-2026-29000, upgrade the affected package to a fixed version below.

—upgrade to 6.3.3 or later

Is CVE-2026-29000 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 6.0.4.1, < 6.3.3

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L
osv	CVSS 3.1	CRITICAL10.0	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-29000
PATCHgithub.com/pac4j/pac4j
WEBwww.codeant.ai/security-research/pac4j-jwt-authentication-bypass-public-key
WEBwww.pac4j.org/blog/security-advisory-pac4j-jwt-jwtauthenticator.html