Critical Authentication Bypass in pac4j-jwt Library Allows Full User Impersonation
Take action: If your Java applications use pac4j-jwt, this is urgent! Update to the latest patched versions immediately because there is no practical way to hide your app from the internet, and the exploit is trivial - it will be exploited in a matter of days.
Learn More
A critical security vulnerability is reported in the pac4j-jwt Java authentication library, which is widely used to secure enterprise applications and web services.
The flaw is tracked as CVE-2026-29000 (CVSS score 10.0) - An authentication bypass vulnerability in the JwtAuthenticator component that occurs when processing encrypted JWTs. Attackers can wrap an unsigned 'PlainJWT' inside a JSON Web Encryption (JWE) envelope using the server's public RSA key, which is often publicly accessible. Because the library's signature verification logic contains a flawed null check, it skips the verification step for the inner token after decryption, allowing the server to trust forged claims such as 'admin: true' without a valid digital signature.
The following versions of the pac4j-jwt library are confirmed to be affected:
- pac4j-jwt 4.x versions prior to 4.5.9
- pac4j-jwt 5.x versions prior to 5.7.9
- pac4j-jwt 6.x versions prior to 6.3.3
Maintainer Jérôme Leleu released emergency patches within two business days of the private disclosure to address the flaw.
Organizations must immediately update their project dependencies via Maven or Gradle to versions 4.5.9, 5.7.9, or 6.3.3 respectively. Security teams should also scan their codebases for mixed encryption-signature configurations in JwtAuthenticator and monitor application logs for anomalous JWTs that lack internal signatures.
