A Vulnerability in pac4j-jwt (JwtAuthenticator) Could Allow for Authentication Bypass
ID: 3dadde2c-86cb-573a-a780-fa1ba40cc846
STIX ID: report--3dadde2c-86cb-573a-a780-fa1ba40cc846
Feed Name: CISecurity.org Advisories
Threat Score
A critical logic flaw in pac4j-jwt's JwtAuthenticator (CVE-2026-29000) fails to validate cryptographic signatures on encrypted JSON Web Tokens (JWE), allowing an unauthenticated remote attacker possessing only the server's public RSA key to forge JWTs and bypass authentication to impersonate any user, including administrators.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.