## https://sploitus.com/exploit?id=5392392F-94CE-5733-B8E9-A8984A02C01C
# CVE-2026-29000 – pac4j JWT Authentication Bypass (Python PoC)
Python Proof‑of‑Concept for **CVE‑2026‑29000**, a critical authentication bypass affecting applications using the **pac4j JWT module**.
The vulnerability allows attackers to authenticate as arbitrary users by sending a malicious **JWE token containing an unsigned PlainJWT (`alg: none`)**.
---
## 🧠 Vulnerability Overview
pac4j applications may use the following token flow:
1. User authenticates via `/api/auth/login`
2. Server returns an **encrypted JWT (JWE)**
3. Client sends token as a **Bearer token**
4. Server decrypts the JWE and verifies the inner JWT signature
Due to incorrect handling of the JWT parsing logic, when the inner token is a **PlainJWT (unsigned token)**:
* `toSignedJWT()` returns **null**
* Signature verification is **skipped**
* Claims are accepted as trusted
This allows an attacker to:
* forge arbitrary claims
* escalate privileges
* authenticate as **admin**
---
## ⚠️ Impact
An attacker can:
* Authenticate as any user
* Assign arbitrary roles
* Access protected endpoints
* Achieve **full privilege escalation**
No private key is required — only the **public key** exposed via JWKS.
---
## 🧪 Proof of Concept
This repository provides a **Python PoC** that:
* Fetches the public key from a JWKS endpoint
* Creates an unsigned JWT
* Wraps it inside a JWE token
* Generates a malicious Bearer token
---
## 📦 Requirements
Python 3.x
Install dependencies:
```
pip install jwcrypto requests
```
---
## 🚀 Usage
```
python3 poc.py \
--jwks http://target:8080/api/auth/jwks \
--user admin \
--role ROLE_ADMIN
```
Example output:
```
=== Malicious JWE Token ===
eyJhbGciOiJSU0EtT0FFUC0yNTYiLCJlbmMiOiJBMTI4R0NNIiwiY3R5IjoiSldUIn0...
```
Use it as:
```
Authorization: Bearer
```
---
## ⚠️ Disclaimer
This repository is provided for **educational and research purposes only**.
Do not use this code against systems without proper authorization.
---
## 👨💻 Author
Ali Hussainzada
Application Security Researcher | Bug Hunter