Summary
A critical authentication bypass vulnerability (CVE-2026-29000) in the pac4j-jwt Java library allows attackers to impersonate any user by forging encrypted but unsigned tokens. The flaw is caused by a logic error in JwtAuthenticator that skips signature verification when a token is wrapped in an RSA-encrypted envelope.
Take Action:
If your Java applications use pac4j-jwt, this is urgent! Update to the latest patched versions immediately because there is no practical way to hide your app from the internet, and the exploit is trivial - it will be exploited in a matter of days.
Read the full article on BeyondMachines
This article was originally published on BeyondMachines
Top comments (0)