On March 03, 2026, pac4j released fixes for a maximum severity vulnerability in pac4j-jwt, tracked as CVE-2026-29000.

ArcticWolf's platform is a central hub for cybersecurity professionals, offering insights into managed detection and response (MDR), threat intelligence, and security operations. Through articles, reports, and webinars, ArcticWolf offers insights into detecting and responding to cybersecurity threats effectively. Security analysts can learn about threat hunting, incident response strategies, and security best practices to protect organizations from cyberattacks.

Arctic Wolf

A maximum severity vulnerability (CVE-2026-29000) was disclosed in pac4j-jwt's JwtAuthenticator component. The flaw allows a remote unauthenticated attacker who knows the server's RSA public key to bypass authentication and impersonate any user, including admins, by submitting a crafted JWE containing an unsigned PlainJWT (alg=none). The bug stems from a logic error where a null SignedJWT causes signature verification to be skipped entirely, allowing unverified claims to build a user profile. Affected versions are pac4j-jwt prior to 4.5.9, 5.7.9, and 6.3.3. No active exploitation has been observed yet, but a public proof-of-concept exists. Upgrading to the fixed releases is strongly recommended.