A newly disclosed critical vulnerability in the widely used pac4j authentication framework is drawing attention across the open source community. Tracked as CVE-2026-29000, the flaw affects the pac4j-jwt library, which is commonly pulled in as a dependency by many popular Java authentication stacks, and could allow attackers to bypass authentication controls in affected Java applications.
While no in-the-wild exploitation has been reported as of March 11, 2026, the vulnerability's ease of exploitation and potential impact mean organizations should respond quickly. pac4j ranks among the top 2% most downloaded components on Maven Central, with more than 30,000 vulnerable downloads in the past week alone. Sonatype Security Research also identified 18 additional packages affected by the flaw, expanding the scope of potential downstream impact.
Sonatype's analysis also deviates from the current public advisory in two key ways. Based on internal research, the Sonatype Security Research team assigned the vulnerability a CVSS score of 9.1, reflecting what we believe more accurately represents the severity of the issue. The team also found that the vulnerability was introduced as early as version 1.9.2, rather than version 4.0 as stated in the original advisory.
pac4j is commonly used to implement identity flows such as OAuth, OpenID Connect, SAML, and JWT authentication. Because pac4j often sits at the identity boundary of an application, vulnerabilities in its authentication components can have far-reaching consequences across the systems that depend on it.
The vulnerability affects the JwtAuthenticator component of the pac4j-jwt library.
In vulnerable versions, certain encrypted JWT processing paths fail to properly enforce signature validation. This creates an authentication bypass condition where a malicious user can craft a specially constructed token and have it accepted as valid.
Specifically:
An attacker who obtains access to a server's RSA public key can create a forged token.
The token may contain arbitrary identity claims, such as usernames or privilege levels.
Because signature validation may be skipped in the vulnerable processing path, the application may accept the token as legitimate.
This scenario represents a worst-case outcome for authentication infrastructure, as attackers could potentially impersonate legitimate users, including administrative accounts.
The vulnerability impacts pac4j-jwt versions:
| pac4j-jwt Major Version | Vulnerable Versions | Fixed Versions |
| 4.x | Prior to 4.5.9 | 4.5.9 and later |
| 5.x | Prior to 5.7.9 | 5.7.9 and later |
| 6.x | Prior to 6.3.3 | 6.3.3 and later |
Not all critical vulnerabilities involve remote code execution (RCE). But authentication bypass bugs can be equally severe, because they undermine the core trust model of a system.
In modern architecture, identity tokens are often trusted across multiple services:
API gateways
microservices
identity providers
CI/CD platforms
internal dashboards
If an attacker can forge an identity token that appears valid, they may be able to move laterally across services that rely on the same authentication assertions.
Initial reporting focused on the vulnerable pac4j-jwt package. However, Sonatype's Security Research team identified a broader ecosystem impact.
According to our analysis:
Vulnerable versions of pac4j-jwt were downloaded 30,447 times in the past week alone.
The vulnerability also affects 18 additional related packages.
In total, 1,020 vulnerable component versions exist across these packages.
Those additional affected packages accounted for 52,735 downloads in the past week, bringing the total vulnerable downloads to more than 83,000 for this CVE. This illustrates how a vulnerability in a single authentication library can rapidly propagate across the open source ecosystem.
The pac4j maintainers have released patches across supported versions.
Organizations should first audit their dependency trees immediately to determine whether vulnerable pac4j components are present and to understand the scope of potential exposure.
If vulnerable versions are identified, teams should upgrade to the next patched minor release as soon as possible, using the fixed versions listed in the table above for the supported major release lines.
If upgrading immediately is not possible, a temporary mitigation strategy is to stop accepting PlainJWT tokens and instead require SignedJWT validation to ensure that tokens are properly verified before being accepted by the application.
Organizations directly using pac4j can follow the guidance in the pac4j documentation on enabling signature validation.
However, patching to a fixed version should remain the primary remediation strategy, as mitigation measures alone may not fully eliminate risk.
Incidents like the pac4j authentication bypass also highlight the limitations of legacy vulnerability management approaches, which often rely on delayed or incomplete public vulnerability data and struggle to keep pace with the speed and complexity of modern open source ecosystems.
Organizations that rely heavily on open source need fast, actionable vulnerability intelligence when security issues emerge.
Sonatype Lifecycle helps development and security teams quickly identify and remediate vulnerable dependencies across the SDLC.
With Lifecycle, teams can:
Identify vulnerable dependencies across applications and pipelines.
Understand the reachability and real-world risk of vulnerabilities.
Receive recommended safe upgrade paths.
Automatically enforce security policies in CI/CD pipelines.
For CVE-2026-29000, Sonatype customers using Lifecycle have access to recommended remediation guidance and a safe upgrade path.
Developers can also use Sonatype Guide to research vulnerabilities and open source components in real time.
Guide provides instant access to Sonatype’s open source intelligence, helping developers and security teams:
Investigate vulnerabilities and understand affected components.
Discover safer versions and recommended upgrade paths.
Evaluate open source packages using security, maintenance, and licensing signals.
Identify vulnerable or risky dependencies before they are introduced into projects.
Guide also integrates with modern development workflows and AI coding assistants, giving those tools real-time access to Sonatype's vulnerability intelligence so they can recommend secure, well-maintained components from the start.
This combination of developer-friendly research tools and automated policy enforcement helps teams respond faster to emerging threats and reduce the risk of vulnerable dependencies entering their software supply chains.