Share
## https://sploitus.com/exploit?id=5392392F-94CE-5733-B8E9-A8984A02C01C
# CVE-2026-29000 – pac4j JWT Authentication Bypass (Python PoC)

Python Proof‑of‑Concept for **CVE‑2026‑29000**, a critical authentication bypass affecting applications using the **pac4j JWT module**.

The vulnerability allows attackers to authenticate as arbitrary users by sending a malicious **JWE token containing an unsigned PlainJWT (`alg: none`)**.

---

## 🧠 Vulnerability Overview

pac4j applications may use the following token flow:

1. User authenticates via `/api/auth/login`
2. Server returns an **encrypted JWT (JWE)**
3. Client sends token as a **Bearer token**
4. Server decrypts the JWE and verifies the inner JWT signature

Due to incorrect handling of the JWT parsing logic, when the inner token is a **PlainJWT (unsigned token)**:

* `toSignedJWT()` returns **null**
* Signature verification is **skipped**
* Claims are accepted as trusted

This allows an attacker to:

* forge arbitrary claims
* escalate privileges
* authenticate as **admin**

---

## ⚠️ Impact

An attacker can:

* Authenticate as any user
* Assign arbitrary roles
* Access protected endpoints
* Achieve **full privilege escalation**

No private key is required — only the **public key** exposed via JWKS.

---


## 🧪 Proof of Concept

This repository provides a **Python PoC** that:

* Fetches the public key from a JWKS endpoint
* Creates an unsigned JWT
* Wraps it inside a JWE token
* Generates a malicious Bearer token

---

## 📦 Requirements

Python 3.x

Install dependencies:

```
pip install jwcrypto requests
```

---

## 🚀 Usage

```
python3 poc.py \
--jwks http://target:8080/api/auth/jwks \
--user admin \
--role ROLE_ADMIN
```

Example output:

```
=== Malicious JWE Token ===

eyJhbGciOiJSU0EtT0FFUC0yNTYiLCJlbmMiOiJBMTI4R0NNIiwiY3R5IjoiSldUIn0...
```

Use it as:

```
Authorization: Bearer 
```

---



## ⚠️ Disclaimer

This repository is provided for **educational and research purposes only**.
Do not use this code against systems without proper authorization.

---

## 👨‍💻 Author

Ali Hussainzada
Application Security Researcher | Bug Hunter