CVE-2026-29000

CRITICALCVSS: 10

The JwtAuthenticator in pac4j-jwt skips signature verification for JWE-wrapped PlainJWT (unsigned) tokens, letting an attacker forge valid authentication tokens using only the server's RSA public key.

Published: 1/20/2026

Affected: pac4j-jwt < 4.5.9 / < 5.7.9 / < 6.3.3

REFERENCES

NVD

pac4j Official Security Advisory

CodeAnt AI Security Research

VulnCheck Advisory

AVAILABLE_EXPLOITS(1)

CVE-2026-29000 - Python Token Forge

@B0ySie7e

1/20/2026

Python PoC that forges a valid pac4j-jwt authentication token from the server's RSA public key (JWKS) by wrapping an unsigned PlainJWT inside a JWE.

#Authentication Bypass#JWT#Critical

VERIFIED

VIEW_EXPLOIT