CVE-2026-29000: pac4j JWT Authentication Bypass Vulnerability

A proof-of-concept exploit has been released for CVE-2026-29000, a critical authentication bypass vulnerability affecting the pac4j JWT implementation. This flaw allows attackers to forge administrative tokens without possessing a valid signature. The vulnerability stems from the library’s acceptance of unsigned tokens with the alg: "none" header and its failure to properly validate the inner JWT signature when using JWE-wrapped tokens. An attacker can craft an unsigned JWT containing arbitrary claims such as role: "ROLE_ADMIN", encrypt it using the server’s public key, and subsequently gain unauthorized administrative access. This exploit poses a significant risk to applications utilizing vulnerable versions of pac4j, particularly those that rely on JWT-based authentication for access control.

Attack Chain

1. The attacker identifies a target application using pac4j for JWT authentication that exposes a JWKS endpoint (e.g., /.well-known/jwks.json or /api/auth/jwks).
2. The attacker retrieves the server’s public key from the JWKS endpoint using curl or a similar tool.
3. The attacker crafts an unsigned JWT with the header {"alg": "none", "type": "JWT"} and a payload containing malicious claims, such as {"sub": "attacker", "role": "ROLE_ADMIN"}.
4. The attacker encrypts the unsigned JWT into a JWE token using the server’s RSA public key and an encryption algorithm like RSA-OAEP-256 with A128GCM.
5. The attacker sends an HTTP request to a protected endpoint with the forged JWE token in the Authorization header (e.g., Authorization: Bearer <jwe_token>).
6. The vulnerable pac4j implementation on the server decrypts the JWE token.
7. Due to the lack of signature validation on the inner JWT, the server trusts the claims in the unsigned JWT, including the ROLE_ADMIN claim.
8. The attacker gains unauthorized administrative access to the application and its resources.

Impact

Successful exploitation of CVE-2026-29000 allows an attacker to bypass authentication and gain administrative privileges on the affected application. This can lead to complete compromise of the application, including data theft, modification, and deletion, as well as potential lateral movement to other systems. The impact is particularly severe for applications that handle sensitive data or control critical infrastructure. The availability of a public exploit increases the likelihood of widespread exploitation.

Recommendation

• Apply the recommended mitigation steps for developers using pac4j: enforce JWT signature verification, validate the JWT algorithm (rejecting alg: "none"), and update pac4j to the latest version.
• For system administrators, restrict access to the JWKS endpoint (e.g., using Nginx configuration as described in the source content) to internal networks only to mitigate reconnaissance attempts.
• Deploy the provided Sigma rule to detect the acceptance of JWT tokens with the alg: none header.
• Monitor authentication logs for warnings about unsigned tokens being accepted, as detailed in the “Detection and Indicators” section.
• Use the provided network indicators (URLs) to identify potential reconnaissance activity targeting JWKS endpoints.