Critical pac4j-jwt Authentication Bypass Vulnerability Allows Attackers to Impersonate Any User

A critical authentication bypass vulnerability (CVE-2026-29000) in the pac4j-jwt Java library allows attackers to impersonate any user by forging unsigned JSON Web Tokens (JWTs) using only the server’s public RSA key. This flaw bypasses signature verification, and patches are available for versions 4.x, 5.x, and 6.x.