Max severity pac4j flaw easily exploitable, researchers warn

CyberScoop reports that widely used Java security library pac4j was noted by CodeAnt AI co-founder and CEO Amartya Jha to be impacted by a maximum severity flaw, which could be weaponized by anyone with basic knowledge of JSON Web Tokens.

The vulnerability, tracked as CVE-2026-29000, affects pac4j's authentication component, which is used across several frameworks, including Javalin, Spring Security, Vert.x, and Play Framework. Arctic Wolf Labs researchers said attackers could bypass authentication by forging JWTs or using JSON Web Encryption in pac4j-jwt. Exploitation requires access to a server's public RSA key, which is typically shared openly to enable encryption and identity verification. It was discovered by CodeAnt AI and reported privately to the project's maintainer. No attacks exploiting the vulnerability, which has already been patched, have been observed.

"Downstream consumers of the library may end up needing to issue their own advisories, as we've seen with other similar vulnerabilities in the past," researchers said. CodeAnt AI said it has contacted hundreds of maintainers whose repositories may be affected by the flaw.