Main Vulnerability Database Exploits ID:12524 - Exploit for Improper verification of cryptographic signature in pac4j - CVE-2026-29000

ID:12524 - Exploit for Improper verification of cryptographic signature in pac4j - CVE-2026-29000

Published: April 1, 2026

Vulnerability identifier: #VU123638

Vulnerability risk: Critical

CVE-ID: CVE-2026-29000

CWE-ID: CWE-347

Exploitation vector: Remote access

Vulnerable software:
pac4j

Link to public exploit:

https://github.com/RootX111/cve-2026-29000

Vulnerability description

The vulnerability allows a remote attacker to bypass authentication checks.

The vulnerability exists due to an error in JwtAuthenticator when processing encrypted JWTs. A remote non-authenticated attacker with possession of the server's RSA public key can create a JWE-wrapped PlainJWT with arbitrary subject and role claims, bypass signature verification and authenticated as any user including administrators.

Remediation

Install updates from vendor's website.

ID:12524 - Exploit for Improper verification of cryptographic signature in pac4j - CVE-2026-29000

Link to public exploit:

Vulnerability description

Remediation

Please verify you're human