## Critical Pac4j-JWT Flaw (CVE-2026-29000) Exposes Authentication Bypass Risk
A critical security vulnerability in the widely used pac4j-jwt library allows attackers to forge authentication tokens and bypass signature verification entirely. Designated CVE-2026-29000, the flaw resides in the JwtAuthenticator component when processing encrypted JWTs. An attacker in possession of the server's RSA public key can craft a malicious JWE-wrapped PlainJWT containing arbitrary subject and role claims, effectively enabling them to authenticate as any user.

The vulnerability affects all pac4j-jwt versions prior to 4.5.9, 5.7.9, and 6.3.3. The issue was identified in a GitHub dependency update pull request, which flagged the update from version 4.5.2 to 4.5.9 as a security fix. The core of the exploit lies in the library's failure to properly validate the signature of encrypted JWTs, allowing a crafted token with a valid encryption layer but a forged payload to be accepted as legitimate.

This authentication bypass poses a severe risk to any application relying on pac4j-jwt for securing endpoints with JSON Web Tokens. The flaw could lead to unauthorized access to sensitive data, administrative functions, or user accounts. The maintainers have released patched versions, and the immediate pressure is on development teams to update their dependencies. The presence of this vulnerability in a core authentication library underscores the persistent risk in software supply chains and the critical need for timely security updates.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: CVE-2026-29000, authentication-bypass, JWT, security-vulnerability, supply-chain
- **Credibility**: unverified
- **Published**: 2026-04-07 22:27:18
- **ID**: 53864
- **URL**: https://whisperx.ai/en/intel/53864