On 03 March 2026, pac4j released fixes for a maximum severity vulnerability in pac4j-jwt, tracked as CVE-2026-29000. The flaw arises from improper verification of cryptographic signatures in the JwtAuthenticator component when processing encrypted JWTs (JWE). A remote, unauthenticated threat actor who knows the server’s RSA public key can bypass authentication and impersonate arbitrary users (including administrators) by submitting a crafted JWE whose inner token is an unsigned PlainJWT.
Technical Details
When JwtAuthenticator decrypts a JWE, it attempts to parse the inner token as a SignedJWT. If the inner token is a PlainJWT (alg=none), the SignedJWT object is null and the signature verification path is skipped due to a logic error. The code then builds a user profile from unverified claims, enabling full impersonation. Impacted deployments are those using RSA-based JWE together with JwtAuthenticator configured with both EncryptionConfiguration and SignatureConfiguration.
At the time of writing, Arctic Wolf has not observed any reports of active exploitation. A public proof-of-concept exists in addition to a technical writeup.
Recommendations for CVE-2026-29000
Upgrade to Latest Fixed Release
Arctic Wolf strongly recommends that customers upgrade to the latest fixed release of pac4j-jwt.
| Product | Affected Version | Fixed Version |
| pac4j-jwt (org.pac4j:pac4j-jwt) | Prior to 4.5.9 | 4.5.9 or newer |
| Prior to 5.7.9 | 5.7.9 or newer | |
| Prior to 6.3.3 | 6.3.3 or newer |
Please follow your organisation’s patching and testing guidelines to minimise potential operational impact.
