On 05 March 2026, a critical vulnerability was discovered related to the pac4j-jwt library that affects multiple versions of the security framework. Applications using affected versions of the JwtAuthenticator implementation may process maliciously crafted, encrypted JSON Web Tokens (JWE) in a way that allows an attacker to bypass authentication and gain unauthorized access to protected resources. Affected pac4j-jwt versions include 4.x (prior to 4.5.9), 5.x (prior to 5.7.9), and 6.x (prior to 6.3.3).
Appian has investigated this vulnerability and its services, and determined that it is not impacted, as pac4j-jwt is not utilized within the Appian Cloud environment or any of Appian’s products. We will continue to monitor the situation and provide any updates as appropriate.
The following CVE was released with additional information on the scope of the vulnerability:
CVE-2026-29000 - (pac4j-jwt JwtAuthenticator Authentication Bypass)
This article applies to all supported versions of Appian.
Last reviewed: March 9, 2026