Exploit for CVE-2026-29000

Name: Exploit for CVE-2026-29000
Rating: 5 (94 reviews)
2026-04-17 | CVSS 9.3
## https://sploitus.com/exploit?id=868EA16E-FBC6-5E34-9CFB-B91ACE06A414
# CVE-2026-29000: Proof of Concept (PoC) for pac4j-jwt Auth Bypass

### ⚠️ Disclaimer
**This tool is for educational and ethical security testing purposes only.** I do not and will not support threat acting in any way, shape or form. Use at your own risk.

- This is also my first PoC, so be nice please.
- This is designed around the "Principal" medium HackTheBox machine.

---

## Overview
**CVE-2026-29000** is a critical vulnerability (CVSS 10.0) in the `pac4j-jwt` library. It stems from improper validation logic in the `JwtAuthenticator` when handling nested (encrypted) tokens.

The flaw exists because while `pac4j` correctly decrypts a JWE (JSON Web Encryption) token using the server's key, it fails to enforce signature verification on the inner JWT. This allows an attacker to wrap an unsigned JWT (using `{"alg": "none"}`) inside a valid JWE wrapper. The server decrypts the JWE, trusts the inner payload, and grants access.

## Vulnerability Details
- **Affected Versions:** `pac4j` versions prior to 4.5.9, 5.7.9, and 6.3.3.
- **Vulnerability Type:** Improper Authentication / Signature Validation Bypass.
- **Impact:** Complete authentication bypass and privilege escalation (e.g., gaining `ROLE_ADMIN`).

## Proof of Concept
The provided script, `CVE-2026-29000.py`, automates the following steps:
1. **Key Discovery:** Retrieves the target's public RSA key via the `/api/auth/jwks` endpoint.
2. **Inner Token Forgery:** Crafts an unsigned JWT with `alg: none` and administrative claims.
3. **Encryption Wrapping:** Encrypts the forged JWT into a JWE container using the retrieved public key.
4. **Exploitation:** Sends the forged JWE to a protected endpoint to verify unauthorized access.

### Prerequisites
Ensure you have the required Python libraries installed:
```bash
pip install requests jwcrypto
```

### Usage
```bash
python3 CVE-2026-29000.py 
```
**Example:**
```bash
python3 CVE-2026-29000.py http://vulnerable-app.local:8080
```

## Remediation
To mitigate this vulnerability, take the following actions:

1. **Update Library:** Upgrade `pac4j-jwt` to version **4.5.9**, **5.7.9**, or **6.3.3** (or higher) immediately.
2. **Enforce Signatures:** Ensure your `JwtAuthenticator` configuration explicitly requires a valid signature and does not permit the `none` algorithm.
3. **Disable JWE:** If your application does not require encrypted tokens, disable JWE support to reduce the attack surface.

## References
- [Official CVE Entry (CVE-2026-29000)](https://nvd.nist.gov/vuln/detail/CVE-2026-29000)
- [pac4j Security Advisories](https://github.com/pac4j/pac4j/security/advisories)

---
**Created by:** Cipher1x1