CVE-2026-29000
Published: 04 March 2026
Summary
CVE-2026-29000 is a critical-severity Improper Verification of Cryptographic Signature (CWE-347) vulnerability in Codeant (inferred from references). Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 25.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and IA-5 (Authenticator Management).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely flaw remediation including upgrading vulnerable pac4j-jwt versions to fixed releases, directly eliminating the authentication bypass vulnerability.
Mandates secure management of authenticators like JWTs, including protection against forgery and ensuring proper verification processes to mitigate token manipulation.
Implements cryptographic protections for mechanisms handling encrypted JWTs, addressing improper processing of JWE-wrapped tokens that bypass signature checks.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables remote exploitation of a public-facing authentication component (T1190), forging JWT authentication tokens using the public key (T1606), resulting in privilege escalation from no privileges to administrator (T1068).
NVD Description
pac4j-jwt versions prior to 4.5.9, 5.7.9, and 6.3.3 contain an authentication bypass vulnerability in JwtAuthenticator when processing encrypted JWTs that allows remote attackers to forge authentication tokens. Attackers who possess the server's RSA public key can create a JWE-wrapped PlainJWT…
more
with arbitrary subject and role claims, bypassing signature verification to authenticate as any user including administrators.
Deeper analysisAI
CVE-2026-29000, published on 2026-03-04, is an authentication bypass vulnerability (CWE-347) in the JwtAuthenticator component of pac4j-jwt versions prior to 4.5.9, 5.7.9, and 6.3.3. The flaw occurs when processing encrypted JWTs (JWE), enabling attackers to forge authentication tokens. It carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating critical severity due to high confidentiality and integrity impacts.
Remote attackers who possess the server's RSA public key can exploit this by creating a JWE-wrapped PlainJWT with arbitrary subject and role claims. This bypasses signature verification, allowing authentication as any user, including administrators, without requiring privileges or user interaction.
Advisories recommend upgrading to pac4j-jwt versions 4.5.9, 5.7.9, or 6.3.3 to mitigate the vulnerability. Additional details are available in security notices from CodeAnt AI (https://www.codeant.ai/security-research/pac4j-jwt-authentication-bypass-public-key), the pac4j project (https://www.pac4j.org/blog/security-advisory-pac4j-jwt-jwtauthenticator.html), and VulnCheck (https://www.vulncheck.com/advisories/pac4j-jwt-jwtauthenticator-authentication-bypass).
Details
- CWE(s)