Critical Authentication Bypass in pac4j-jwt Library Allows Full User Impersonation

A critical authentication bypass vulnerability (CVE-2026-29000) in the pac4j-jwt Java library allows attackers to impersonate any user by forging encrypted but unsigned tokens. The flaw is caused by a logic error in JwtAuthenticator that skips signature verification when a token is wrapped in an RSA-encrypted envelope.

**If your Java applications use pac4j-jwt, this is urgent! Update to the latest patched versions immediately because there is no practical way to hide your app from the internet, and the exploit is trivial - it will be exploited in a matter of days.**
#cybersecurity #infosec #advisory #vulnerability
https://beyondmachines.net/event_details/critical-authentication-bypass-in-pac4j-jwt-library-allows-full-user-impersonation-f-h-1-h-f/gD2P6Ple2L