GHSA-pm7g-w2cf-q238

Source

https://github.com/advisories/GHSA-pm7g-w2cf-q238

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-pm7g-w2cf-q238/GHSA-pm7g-w2cf-q238.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-pm7g-w2cf-q238

Aliases

CVE-2026-29000

Published

2026-03-05T00:31:11Z

Modified

2026-03-06T15:46:32.203144Z

Severity

10.0 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L CVSS Calculator
10.0 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L CVSS Calculator

Summary

pac4j-jwt: JwtAuthenticator Authentication Bypass via JWE-Wrapped PlainJWT

Details

pac4j-jwt versions prior to 4.5.9, 5.7.9, and 6.3.3 contain an authentication bypass vulnerability in JwtAuthenticator when processing encrypted JWTs that allows remote attackers to forge authentication tokens. Attackers who possess the server's RSA public key can create a JWE-wrapped PlainJWT with arbitrary subject and role claims, bypassing signature verification to authenticate as any user including administrators.

Database specific

{
    "cwe_ids": [
        "CWE-347"
    ],
    "github_reviewed_at": "2026-03-06T15:41:53Z",
    "nvd_published_at": "2026-03-04T22:16:18Z",
    "severity": "CRITICAL",
    "github_reviewed": true
}

References

Affected packages

Maven / org.pac4j:pac4j-jwt

Package

Name: org.pac4j:pac4j-jwt; View open source insights on deps.dev
Purl: pkg:maven/org.pac4j/pac4j-jwt

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.0.4.1

Fixed

6.3.3

Affected versions

6.*

6.0.4.1

6.0.5

6.0.6

6.1.0

6.1.1

6.1.2

6.1.3

6.2.0

6.2.1

6.2.2

6.3.0

6.3.1

6.3.2

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-pm7g-w2cf-q238/GHSA-pm7g-w2cf-q238.json"

Maven / org.pac4j:pac4j-jwt

Package

Name: org.pac4j:pac4j-jwt; View open source insights on deps.dev
Purl: pkg:maven/org.pac4j/pac4j-jwt

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.0.0-RC1

Fixed

5.7.9

Affected versions

5.*

5.0.0-RC1

5.0.0-RC2

5.0.0

5.0.1

5.1.0

5.1.1

5.1.2

5.1.3

5.1.4

5.1.5

5.2.0

5.2.1

5.3.0

5.3.1

5.4.0

5.4.1

5.4.2

5.4.3

5.4.4

5.4.5

5.4.6

5.5.0

5.6.0

5.6.1

5.7.0

5.7.1

5.7.2

5.7.3

5.7.4

5.7.5

5.7.6

5.7.7

5.7.8

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-pm7g-w2cf-q238/GHSA-pm7g-w2cf-q238.json"

Maven / org.pac4j:pac4j-jwt

Package

Name: org.pac4j:pac4j-jwt; View open source insights on deps.dev
Purl: pkg:maven/org.pac4j/pac4j-jwt

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.5.9

Affected versions

1.*

1.8.0-RC1

1.8.0

1.8.1

1.8.2

1.8.3

1.8.4

1.8.5

1.8.6

1.8.7

1.8.8

1.8.9

1.9.0

1.9.1

1.9.2

1.9.3

1.9.4

1.9.5

1.9.6

1.9.7

1.9.8

1.9.9

2.*

2.0.0-RC1

2.0.0-RC2

2.0.0

2.1.0

2.2.0

2.2.1

2.3.0

2.3.1

3.*

3.0.0-RC1

3.0.0-RC2

3.0.0

3.0.1

3.0.2

3.1.0

3.2.0

3.3.0

3.4.0

3.5.0

3.6.0

3.6.1

3.7.0

3.8.0

3.8.1

3.8.2

3.8.3

3.9.0

4.*

4.0.0-RC1

4.0.0-RC2

4.0.0-RC3

4.0.0

4.0.1

4.0.2

4.0.3

4.1.0

4.2.0

4.3.0

4.3.1

4.4.0

4.5.0

4.5.1

4.5.2

4.5.3

4.5.4

4.5.5

4.5.6

4.5.7

4.5.8

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-pm7g-w2cf-q238/GHSA-pm7g-w2cf-q238.json"