CVE-2026-29000: pac4j-jwt JwtAuthenticator can be bypassed to forge admin authentication tokens

What happened

A CVE record was published for a critical authentication bypass in pac4j-jwt. The issue is in JwtAuthenticator when processing encrypted JWTs (JWE): an attacker who has the server's RSA public key can craft a JWE-wrapped PlainJWT with arbitrary subject/role claims, bypassing signature verification and authenticating as any user (including administrators).

Who is impacted

Deployments using pac4j-jwt in the affected ranges are impacted:

• 4.x: 4.0 up to (but not including) 4.5.9
• 5.x: 5.0 up to (but not including) 5.7.9
• 6.x: 6.0 up to (but not including) 6.3.3

Severity in the CVE record is CVSS 10.0 (Critical).

What to do now

• Upgrade pac4j-jwt to a patched version: 4.5.9, 5.7.9, or 6.3.3 (or later in the same major line).
• If you cannot upgrade immediately, prioritize reducing exposure of services that accept JWE for authentication until patched.

Additional Information

• CVE: CVE-2026-29000
• Problem type: CWE-347 Improper Verification of Cryptographic Signature
• CVSS vectors (as recorded):
  • CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L
  • CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L