CRITICAL
pac4j
CVE published 2026-03-04
CVE-2026-29000
CVE-2026-29000 is an authentication bypass vulnerability in pac4j-jwt versions prior to 4.5.9, 5.7.9, and 6.3.3. The vulnerability is located in JwtAuthenticator when processing encrypted JWTs, allowing remote attackers to forge authentication tokens. Attackers who possess the server's RSA public key can create a JWE-wrapped PlainJWT with arbitrary subject and role claims, bypassing signature verification [truncated]