PAC4J Releases Security Updates for pac4j-jwt module

A critical vulnerability could allow remote attackers to forge authentication tokens

Threat ID:: CC-4751
Threat Severity:: Medium
Published:: 9 March 2026 4:39 PM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

A critical vulnerability could allow remote attackers to forge authentication tokens

Affected platforms

The following platforms are known to be affected:

PAC4J

'pac4j-jwt' module:

All prior to 4.5.9
All prior to 5.7.9
All prior to 6.3.3

Threat details

Proof-of-concept for CVE-2026-29000

Security researchers have released a public proof-of-concept exploit for CVE-2026-29000. The NHS England National CSOC assesses exploitation as highly likely.

Introduction

PAC4J has released security updates to address a critical vulnerability affecting the 'JwtAuthenticator' in the pac4j-jwt module.

CVE-2026-29000 - 'Improper Verification of Cryptographic Signature' vulnerability - CVSSv4 score: 10.0

Remediation advice

Affected organisations are encouraged to review PAC4J's Security advisory for pac4j-jwt (JwtAuthenticator) advisory and apply the relevant updates as soon as possible.

Definitive source of threat updates

https://www.pac4j.org/blog/security-advisory-pac4j-jwt-jwtauthenticator.html

CVE Vulnerabilities

Status Published

CVE-2026-29000

pac4j-jwt versions prior to 4.5.9, 5.7.9, and 6.3.3 contain an authentication bypass vulnerability in JwtAuthenticator when processing encrypted JWTs that allows remote attackers to forge authentication tokens. Attackers who possess the server's RSA public key can create a JWE-wrapped PlainJWT with arbitrary subject and role claims, bypassing signature verification to authenticate as any user including administrators.

Last edited: 9 March 2026 4:39 pm