Your Server's Public Key Is All I Need to Become Admin, CVE-2026-29000

A CVSS 10.0 authentication bypass in pac4j-jwt. No secrets stolen. No brute force. Just your public key — the one you're supposed to share. TL;DR We found a critical authentication bypass in pac4j-jwt , one of the most widely used Java security libraries. An attacker who has only your server's RSA public key can forge a JWT token, authenticate as any user — including admin — and the server will trust it completely. CVE: CVE-2026-29000 CVSS Score: 10.0 / 10.0 (Critical) Affected: pac4j-jwt < 4.5.9, < 5.7.9, < 6.3.3 Fixed in: 4.5.9, 5.7.9, 6.3.3 CWE: CWE-347 (Improper Verification of Cryptographic Signature) The Irony That Keeps Me Up at Night Here's what makes this vulnerability uniquely terrifying: Every single piece of code involved is technically correct. The JWT spec? Correctly implemented. The Nimbus library? Behaves exactly as documented. The null check? Perfectly valid Java. The vulnerability isn't in any one component. It's in the assumption that ties them together — the assumpt