PatchSiren

pac4j CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

CRITICAL pac4j CVE published 2026-03-04

CVE-2026-29000

CVE-2026-29000 is an authentication bypass vulnerability in pac4j-jwt versions prior to 4.5.9, 5.7.9, and 6.3.3. The vulnerability is located in JwtAuthenticator when processing encrypted JWTs, allowing remote attackers to forge authentication tokens. Attackers who possess the server's RSA public key can create a JWE-wrapped PlainJWT with arbitrary subject and role claims, bypassing signature verification [truncated]