Authentication Bypass in pac4j-jwt via Forged JWE/PlainJWT Claims
A maximum-severity authentication bypass was disclosed in pac4j’s JWT component (pac4j-jwt), tracked as CVE-2026-29000, affecting a widely used Java security engine embedded across many downstream software packages. The issue is a logic flaw that enables attackers to bypass authentication controls by crafting tokens/claims in a way that defeats expected verification, raising concern because exploitation can be relatively straightforward and the library’s transitive use complicates exposure tracking and patch rollout across dependent applications.
Public proof-of-concept (PoC) code is available, and reporting indicates an attacker who can obtain a target server’s RSA public key (often publicly accessible) can forge a JWE-wrapped PlainJWT containing arbitrary sub and role claims to bypass signature verification and authenticate as any user, including administrators. The pac4j maintainer disclosed the defect and released patched versions shortly after private reporting; while there were no confirmed in-the-wild exploits at the time of reporting, defenders should expect downstream vendors and application owners to issue their own advisories and updates as they assess inherited risk from bundled pac4j versions.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
F5 publishes product advisory for CVE-2026-29000
F5 issued a product advisory for CVE-2026-29000, indicating the pac4j vulnerability affected or was relevant to F5 products. This marks a downstream vendor response following the earlier pac4j disclosure and patching activity.
Researchers notify hundreds of potentially affected maintainers
CodeAnt AI said it contacted hundreds of maintainers whose repositories may depend on vulnerable pac4j components. Researchers also warned that downstream projects may need to publish their own advisories and patches.
Public reporting details CVE-2026-29000 and PoC exploit
CyberScoop reported that CVE-2026-29000 had been publicly disclosed after CodeAnt AI published a proof-of-concept exploit, warning that the pre-authentication flaw was easy to reproduce with only a server's public RSA key. The report highlighted serious downstream risk because pac4j is embedded in frameworks such as Spring Security, Play Framework, Vert.x, and Javalin.
HKCERT publishes advisory for pac4j-jwt restriction bypass
HKCERT published a security bulletin warning of a pac4j-jwt security restriction bypass vulnerability. The advisory marked broader public disclosure of the issue to defenders and users.
pac4j maintainer releases patches for affected versions
Within two days of the private report, the pac4j maintainer disclosed the vulnerability and issued fixes for affected pac4j versions. The flaw affected the pac4j authentication component used across multiple Java frameworks and downstream projects.
CodeAnt AI privately reports pac4j JWT auth bypass flaw
CodeAnt AI discovered a critical logic flaw in pac4j-jwt, later assigned CVE-2026-29000, that could let attackers bypass authentication by forging JWTs or abusing raw JSON claims via JWE. The issue was privately disclosed to the pac4j maintainer before public announcement.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
pac4j vulnerability CVE-2026-29000
my.f5.com
Open sourceMax severity pac4j flaw easily exploitable, researchers warn | brief | SC Media
scworld.com
Open sourceCritical defect in Java security engine poses serious downstream security risks | CyberScoop
cyberscoop.com
Open sourcepac4j-jwt Security Restriction Bypass Vulnerability
hkcert.org
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Critical JWT Forgery Flaw in Postiz Enables SUPERADMIN Takeover
A critical vulnerability in **Postiz** allows any authenticated user to escalate privileges to **SUPERADMIN** by forging JWTs through the application's **Skool integration callback**. Tracked as **`CVE-2026-48781`** and **`GHSA-j77w-h625-56q2`**, the flaw stems from attacker-controlled JSON being signed into a session-like token with the application's `JWT_SECRET`, while authentication logic trusted the token's claims without reloading the user record from the database. The bug affects Postiz versions prior to **`2.21.8`** and enables cross-tenant takeover, arbitrary organization impersonation, full access across the affected instance, exposure of all registered users, and the ability to post through victims' connected social media accounts. The issue is rated **CVSS 9.9 (Critical)**, was verified and patched by the vendor, and defenders are advised to upgrade to **`2.21.8`**, rotate JWT secrets if compromise is suspected, and review logs for impersonation or unauthorized access activity.
Jun 29, 2026
Cal.com NextAuth JWT Session Update Authentication Bypass (CVE-2026-23478)
A **critical authentication bypass** in the Cal.com open-source scheduling platform allows remote attackers to **hijack arbitrary user accounts** by abusing a flaw in a custom *NextAuth* JWT callback used during session updates. Tracked as **CVE-2026-23478** (reported as **CVSS 10.0**), the issue affects Cal.com versions **>= 3.1.6 and < 6.0.7** and is exploitable over the network with minimal prerequisites—primarily knowledge of a victim’s email address. The weakness occurs when the session trigger is set to `"update"`, where Cal.com improperly accepts **client-controlled identity fields** and writes them into the JWT without server-side validation (mapped to issues such as **CWE-602** and **CWE-639**). An attacker can send a single API call like `session.update({ email: "victim@example.com" })` to produce a manipulated token that retains the attacker’s `sub` but swaps in the victim’s email; subsequent requests are treated as the victim because the application looks up users using the attacker-controlled `token.email` field. Successful exploitation yields full access to victim data and capabilities (bookings, event types, integrations, org membership, billing, and potentially admin privileges), and **2FA/external IdP associations do not mitigate** because the compromise occurs at the session token level; **Cal.com 6.0.7+** is cited as containing the fix.
Jun 29, 2026
Apache Tomcat auth bypass and Apache CXF JMS RCE flaw disclosed
Apache disclosed **CVE-2026-43512**, a moderate-severity authentication bypass in Tomcat's DIGEST authenticator that can let any user unknown to the configured Realm authenticate if the supplied password is `"null"`. The flaw affects multiple supported branches, including Tomcat `11.0.0-M1` through `11.0.21`, `10.1.0-M1` through `10.1.54`, and `9.0.0.M1` through `9.0.117`, with older unsupported releases potentially affected. Apache advised users to upgrade to `11.0.22+`, `10.1.55+`, or `9.0.118+`. Apache also disclosed **CVE-2026-44417**, a moderate-severity flaw in the JMS transport component of Apache CXF caused by an incomplete fix for **CVE-2025-48913**. The remaining vulnerable code path can still lead to remote code execution when untrusted users are allowed to configure JMS. Affected releases include CXF JMS transport `4.2.0` before `4.2.1`, `4.0.0` before `4.1.6`, and all `3.6.x` versions before `3.6.11`; Apache said organizations should upgrade to `4.2.1`, `4.1.6`, or `3.6.11`.
Jun 29, 2026