A critical security restriction bypass vulnerability (CVE-2026-29000, CVSS 10.0) exists in pac4j-jwt, which a remote attacker could exploit to bypass security controls. Affected versions include the 4.x line prior to 4.5.9, the 5.x line prior to 5.7.9, and the 6.x line prior to 6.3.3. The vendor has released patches in versions 4.5.9, 5.7.9, and 6.3.3, and immediate upgrade is required.
A vulnerability has been identified in pac4j-jwt. A remote attacker could exploit this vulnerability to trigger security restriction bypass on the targeted system. Note: Proof of Concept exploit code Is publicly available for CVE-2026-29000. Attackers who possess the server'... Impact Security Restriction Bypass System / Technologies affected If you use the 4.x line: upgrade to 4.5.9 (or newer) If you use the 5.x line: upgrade to 5.7.9 (or newer) If you use the 6.x line: upgrade to 6.3.3 (or newer) Solutions Before installation of the software, please visit the vendor web-site for more details. Apply fixes issued by the vendor: https://www.pac4j.org/blog/security-advisory-pac4j-jwt-jwtauthenticator.html