{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/pac4j/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":9.1,"id":"CVE-2026-29000"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["pac4j JWT module"],"_cs_severities":["critical"],"_cs_tags":["authentication-bypass","jwt","pac4j","cve-2026-29000"],"_cs_type":"advisory","_cs_vendors":["pac4j"],"content_html":"\u003cp\u003eA proof-of-concept exploit has been released for CVE-2026-29000, a critical authentication bypass vulnerability affecting the pac4j JWT implementation. This flaw allows attackers to forge administrative tokens without possessing a valid signature. The vulnerability stems from the library\u0026rsquo;s acceptance of unsigned tokens with the \u003ccode\u003ealg: \u0026quot;none\u0026quot;\u003c/code\u003e header and its failure to properly validate the inner JWT signature when using JWE-wrapped tokens. An attacker can craft an unsigned JWT containing arbitrary claims such as \u003ccode\u003erole: \u0026quot;ROLE_ADMIN\u0026quot;\u003c/code\u003e, encrypt it using the server\u0026rsquo;s public key, and subsequently gain unauthorized administrative access. This exploit poses a significant risk to applications utilizing vulnerable versions of pac4j, particularly those that rely on JWT-based authentication for access control.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a target application using pac4j for JWT authentication that exposes a JWKS endpoint (e.g., \u003ccode\u003e/.well-known/jwks.json\u003c/code\u003e or \u003ccode\u003e/api/auth/jwks\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves the server\u0026rsquo;s public key from the JWKS endpoint using \u003ccode\u003ecurl\u003c/code\u003e or a similar tool.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts an unsigned JWT with the header \u003ccode\u003e{\u0026quot;alg\u0026quot;: \u0026quot;none\u0026quot;, \u0026quot;type\u0026quot;: \u0026quot;JWT\u0026quot;}\u003c/code\u003e and a payload containing malicious claims, such as \u003ccode\u003e{\u0026quot;sub\u0026quot;: \u0026quot;attacker\u0026quot;, \u0026quot;role\u0026quot;: \u0026quot;ROLE_ADMIN\u0026quot;}\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker encrypts the unsigned JWT into a JWE token using the server\u0026rsquo;s RSA public key and an encryption algorithm like RSA-OAEP-256 with A128GCM.\u003c/li\u003e\n\u003cli\u003eThe attacker sends an HTTP request to a protected endpoint with the forged JWE token in the \u003ccode\u003eAuthorization\u003c/code\u003e header (e.g., \u003ccode\u003eAuthorization: Bearer \u0026lt;jwe_token\u0026gt;\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe vulnerable pac4j implementation on the server decrypts the JWE token.\u003c/li\u003e\n\u003cli\u003eDue to the lack of signature validation on the inner JWT, the server trusts the claims in the unsigned JWT, including the \u003ccode\u003eROLE_ADMIN\u003c/code\u003e claim.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized administrative access to the application and its resources.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-29000 allows an attacker to bypass authentication and gain administrative privileges on the affected application. This can lead to complete compromise of the application, including data theft, modification, and deletion, as well as potential lateral movement to other systems. The impact is particularly severe for applications that handle sensitive data or control critical infrastructure. The availability of a public exploit increases the likelihood of widespread exploitation.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the recommended mitigation steps for developers using pac4j: enforce JWT signature verification, validate the JWT algorithm (rejecting \u003ccode\u003ealg: \u0026quot;none\u0026quot;\u003c/code\u003e), and update pac4j to the latest version.\u003c/li\u003e\n\u003cli\u003eFor system administrators, restrict access to the JWKS endpoint (e.g., using Nginx configuration as described in the source content) to internal networks only to mitigate reconnaissance attempts.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect the acceptance of JWT tokens with the \u003ccode\u003ealg: none\u003c/code\u003e header.\u003c/li\u003e\n\u003cli\u003eMonitor authentication logs for warnings about unsigned tokens being accepted, as detailed in the \u0026ldquo;Detection and Indicators\u0026rdquo; section.\u003c/li\u003e\n\u003cli\u003eUse the provided network indicators (URLs) to identify potential reconnaissance activity targeting JWKS endpoints.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-30T08:03:04Z","date_published":"2026-05-30T08:03:04Z","id":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-29000-pac4j/","summary":"A public exploit is available for CVE-2026-29000, a critical authentication bypass vulnerability in pac4j's JWT implementation, allowing attackers to forge admin tokens without a valid signature by exploiting flaws in the library's handling of unsigned tokens and JWE-wrapped tokens.","title":"CVE-2026-29000: pac4j JWT Authentication Bypass Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-29000-pac4j/"}],"language":"en","title":"CraftedSignal Threat Feed — Pac4j","version":"https://jsonfeed.org/version/1.1"}