## https://sploitus.com/exploit?id=DE43D5C0-A925-5600-BDA5-E7B0CCB3C108
# CVE-2026-29000: pac4j-jwt Authentication Bypass POC
This repository contains a proof-of-concept (POC) for an authentication bypass vulnerability in `pac4j-jwt` (CVE-2026-29000). The vulnerability allows an attacker to bypass signature verification by nesting a PlainJWT (using `alg: none`) inside a JWE (JSON Web Encryption) container.
## Overview
The attack works by exploiting the server's willingness to decrypt a JWE encrypted with its public key and subsequently trust the inner JWT without validating its signature, provided it uses the `none` algorithm.
## Prerequisites
Ensure you have Python 3 installed along with the required dependencies:
```bash
pip install requests jwcrypto
```
## Usage
### 1. Generate a Forged Token
Use `exp.py` to fetch the target's public key from the JWKS endpoint, craft a malicious token with `ROLE_ADMIN` privileges, and wrap it in a JWE.
```bash
python3 exp.py --user admin --role ROLE_ADMIN
```
**Example:**
```bash
python3 exp.py http://localhost:8080
```
### 2. Interact with the API
Once you have the forged token, use `app.py` to interact with protected API endpoints.
```bash
python3 app.py
```
**Test a specific endpoint:**
```bash
python3 app.py http://localhost:8080 --endpoint /api/users
```
## Files
- `exp.py`: The main exploit script that fetches JWKS, crafts a PlainJWT, and forges a JWE.
- `app.py`: A utility script to test the forged token against discovered API endpoints (`/api/dashboard`, `/api/users`, `/api/settings`).
## Disclaimer
This POC is for educational and authorized security testing purposes only. Unauthorized access to computer systems is illegal.