AIKIDO-2026-10300
pac4j-jwt is vulnerable to Improper Verification of Cryptographic Signature
100
Critical Risk
This Affects:
pac4j-jwtTL;DR
Affected versions of pac4j-jwt are vulnerable to an authentication bypass in the JwtAuthenticator when processing encrypted JWTs. Due to improper validation of JWE-wrapped PlainJWT tokens, signature verification may be bypassed during authentication. An attacker who possesses the server’s RSA public key can craft a malicious encrypted JWT containing arbitrary subject or role claims, allowing them to **forge authentication tokens and impersonate arbitrary users**, including administrators.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
pac4j-jwt is vulnerable to Improper Verification of Cryptographic Signature in versions 0.0.1 - 4.5.8, 5.0.0 - 5.7.8 and 6.0.0 - 6.3.2.
How to fix this
Upgrade the org.pac4j:pac4j-jwt library to the patch version.
Links
pac4j.org/blog/security-advisory-pac4j-jwt-jwtauthenticator.htmlcodeant.ai/security-research/pac4j-jwt-authentication-bypass-public-keyvulncheck.com/advisories/pac4j-jwt-jwtauthenticator-authentication-bypass
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant