Share
## https://sploitus.com/exploit?id=DE43D5C0-A925-5600-BDA5-E7B0CCB3C108
# CVE-2026-29000: pac4j-jwt Authentication Bypass POC

This repository contains a proof-of-concept (POC) for an authentication bypass vulnerability in `pac4j-jwt` (CVE-2026-29000). The vulnerability allows an attacker to bypass signature verification by nesting a PlainJWT (using `alg: none`) inside a JWE (JSON Web Encryption) container.

## Overview

The attack works by exploiting the server's willingness to decrypt a JWE encrypted with its public key and subsequently trust the inner JWT without validating its signature, provided it uses the `none` algorithm.

## Prerequisites

Ensure you have Python 3 installed along with the required dependencies:

```bash
pip install requests jwcrypto
```

## Usage

### 1. Generate a Forged Token

Use `exp.py` to fetch the target's public key from the JWKS endpoint, craft a malicious token with `ROLE_ADMIN` privileges, and wrap it in a JWE.

```bash
python3 exp.py  --user admin --role ROLE_ADMIN
```

**Example:**
```bash
python3 exp.py http://localhost:8080
```

### 2. Interact with the API

Once you have the forged token, use `app.py` to interact with protected API endpoints.

```bash
python3 app.py  
```

**Test a specific endpoint:**
```bash
python3 app.py http://localhost:8080  --endpoint /api/users
```

## Files

- `exp.py`: The main exploit script that fetches JWKS, crafts a PlainJWT, and forges a JWE.
- `app.py`: A utility script to test the forged token against discovered API endpoints (`/api/dashboard`, `/api/users`, `/api/settings`).

## Disclaimer

This POC is for educational and authorized security testing purposes only. Unauthorized access to computer systems is illegal.