Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.
9.3

Pac4j-JWT's Encrypted JWT Processing Allows Unauthorized Access

CVE-2026-29000 GHSA-pm7g-w2cf-q238 GHSA-pm7g-w2cf-q238
Summary

Versions of Pac4j-JWT prior to 4.5.9, 5.7.9, and 6.3.3 have a security issue that allows hackers to pretend to be any user, including administrators, by manipulating how the software checks encrypted login tokens. This is a serious problem because it could let attackers access sensitive areas of your website or application without needing a valid login. Update to the latest version of Pac4j-JWT to fix this issue.

What to do
  • Update pac4j org.pac4j:pac4j-jwt to version 6.3.3.
  • Update pac4j org.pac4j:pac4j-jwt to version 5.7.9.
  • Update pac4j org.pac4j:pac4j-jwt to version 4.5.9.
Affected software
VendorProductAffected versionsFix available
pac4j org.pac4j:pac4j-jwt > 6.0.4.1 , <= 6.3.3 6.3.3
pac4j org.pac4j:pac4j-jwt > 5.0.0-RC1 , <= 5.7.9 5.7.9
pac4j org.pac4j:pac4j-jwt <= 4.5.9 4.5.9
Original title
pac4j-jwt versions prior to 4.5.9, 5.7.9, and 6.3.3 contain an authentication bypass vulnerability in JwtAuthenticator when processing encrypted JWTs that allows remote attackers to forge authentic...
Original description
pac4j-jwt versions prior to 4.5.9, 5.7.9, and 6.3.3 contain an authentication bypass vulnerability in JwtAuthenticator when processing encrypted JWTs that allows remote attackers to forge authentication tokens. Attackers who possess the server's RSA public key can create a JWE-wrapped PlainJWT with arbitrary subject and role claims, bypassing signature verification to authenticate as any user including administrators.
nvd CVSS3.1 10.0
nvd CVSS4.0 10.0
Vulnerability type
CWE-347 Improper Verification of Cryptographic Signature
Published: 4 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026