cipher1x1/CVE-2026-29000

# CVE-2026-29000: pac4j-jwt 认证绕过 Proof of Concept (PoC) ### ⚠️ 免责声明 **This tool is for educational and ethical security testing purposes only.** I do not and will not support threat acting in any way, shape or form. Use at your own risk. - This is also my first PoC, so be nice please. - This is designed around the "Principal" medium HackTheBox machine. ## 概述 **CVE-2026-29000** is a critical vulnerability (CVSS 10.0) in the `pac4j-jwt` library. It stems from improper validation logic in the `JwtAuthenticator` when handling nested (encrypted) tokens. The flaw exists because while `pac4j` correctly decrypts a JWE (JSON Web Encryption) token using the server's key, it fails to enforce signature verification on the inner JWT. This allows an attacker to wrap an unsigned JWT (using `{"alg": "none"}`) inside a valid JWE wrapper. The server decrypts the JWE, trusts the inner payload, and grants access. ## 漏洞详情 - **Affected Versions:** `pac4j` versions prior to 4.5.9, 5.7.9, and 6.3.3. - **Vulnerability Type:** Improper Authentication / Signature Validation Bypass. - **Impact:** Complete authentication bypass and privilege escalation (e.g., gaining `ROLE_ADMIN`). ## Proof of Concept The provided script, `CVE-2026-29000.py`, automates the following steps: 1. **Key Discovery:** Retrieves the target's public RSA key via the `/api/auth/jwks` endpoint. 2. **Inner Token Forgery:** Crafts an unsigned JWT with `alg: none` and administrative claims. 3. **Encryption Wrapping:** Encrypts the forged JWT into a JWE container using the retrieved public key. 4. **Exploitation:** Sends the forged JWE to a protected endpoint to verify unauthorized access. ### 先决条件 Ensure you have the required Python libraries installed: ``` pip install requests jwcrypto ``` ### 用法 ``` python3 CVE-2026-29000.py ``` **Example:** ``` python3 CVE-2026-29000.py http://vulnerable-app.local:8080 ``` ## 修复 To mitigate this vulnerability, take the following actions: 1. **Update Library:** Upgrade `pac4j-jwt` to version **4.5.9**, **5.7.9**, or **6.3.3** (or higher) immediately. 2. **Enforce Signatures:** Ensure your `JwtAuthenticator` configuration explicitly requires a valid signature and does not permit the `none` algorithm. 3. **Disable JWE:** If your application does not require encrypted tokens, disable JWE support to reduce the attack surface. ## 参考 - [Official CVE Entry (CVE-2026-29000)](https://nvd.nist.gov/vuln/detail/CVE-2026-29000) - [pac4j Security Advisories](https://github.com/pac4j/pac4j/security/advisories) **Created by:** Cipher1x1

标签：alg none, API 攻击, CVE, Java 安全, JSON Web Encryption, JSON Web Token, JWE, JWT, None Algorithm, pac4j, pac4j-jwt, PoC, ROLE_ADMIN, RSA 公钥, SDLC, Token 伪造, Web 安全, 中间件漏洞, 加密滥用, 协议分析, 密钥发现, 密钥泄露, 数字签名, 暴力破解, 权限提升, 漏洞复现, 特权提升, 签名验证, 自动化部署, 认证绕过, 逆向工具