Main Vulnerability Database SB2026030924

SB2026030924 - Authentication bypass in pac4j

Published: March 9, 2026

Security Bulletin ID SB2026030924

Severity

Critical

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Improper verification of cryptographic signature (CVE-ID: CVE-2026-29000)

The vulnerability allows a remote attacker to bypass authentication checks.

The vulnerability exists due to an error in JwtAuthenticator when processing encrypted JWTs. A remote non-authenticated attacker with possession of the server's RSA public key can create a JWE-wrapped PlainJWT with arbitrary subject and role claims, bypass signature verification and authenticated as any user including administrators.

Remediation

Install update from vendor's website.

References

https://www.codeant.ai/security-research/pac4j-jwt-authentication-bypass-public-key
https://www.pac4j.org/blog/security-advisory-pac4j-jwt-jwtauthenticator.html
https://www.vulncheck.com/advisories/pac4j-jwt-jwtauthenticator-authentication-bypass