Critical Authentication Bypass Vulnerability in pac4j JWT Library Requires Immediate Patching

A critical vulnerability (CVE-2026-29000) in pac4j-jwt allows attackers to bypass authentication by crafting a JWE-wrapped PlainJWT with arbitrary claims using an RSA public key. This flaw affects the JwtAuthenticator when accepting encrypted JWTs (JWE), enabling impersonation of any user, including admins. The issue impacts versions before 4.5.9, 5.7.9, and 6.3.3. Official advisories and technical details are linked in the post.