Vulnerability in Pac4j Pac4j-jwt
CVE-2026-29000
pac4j-jwt versions prior to 4.5.9, 5.7.9, and 6.3.3 contain an authentication bypass vulnerability in JwtAuthenticator when processing encrypted JWTs that allows remote attackers to forge authentication tokens. Attackers who possess the se…
EPSS: 0.059 (92.3th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 9.1 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N.
Affected products
- Pac4j Pac4j-jwt — versions 4.0, 5.0, 6.0
Weakness classification (CWE)
Public proof-of-concept exploits
- kernelzeroday/CVE-2026-29000
- tc4dy/CVE-2026-29000-PoC-Exploit
- STK-Security/CVE-2026-29000-pac4j-jwt
- strikoder/CVE-2026-29000-pac4j-jwt
- RootX111/cve-2026-29000
- c0gnit00/CVE-2026-29000
- otuva/CVE-2026-29000
- manbahadurthapa1248/CVE-2026-29000---pac4j-jwt-Authentication-Bypass-PoC
- lucastran05/CVE-2026-29000
- zF-tm/CVE-2026-29000
References
- disclosure@vulncheck.com (vendor-advisory)
- disclosure@vulncheck.com (technical-description, exploit)
- disclosure@vulncheck.com (third-party-advisory)
Frequently asked questions
- What is CVE-2026-29000?
- CVE-2026-29000 is a critical-severity vulnerability in Pac4j Pac4j-jwt, classified under Improper Verification of Cryptographic Signature. CVSS score: 9.1/10. Published 2026-03-04.
- How severe is CVE-2026-29000?
- Critical severity. CVSS v3 base score is 9.1 out of 10.
- Is CVE-2026-29000 known to be exploited?
- 21 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.