https://community.appian.com/support/w/kb/3782/kb-2371-information-about-the-pac4j-jwt-security-vulnerability-cve-2026-29000en-USTelligent Community 12https://community.appian.com/support/w/kb/3782/kb-2371-information-about-the-pac4j-jwt-security-vulnerability-cve-2026-29000Mon, 09 Mar 2026 15:06:48 GMTd3a83456-d57b-489c-a84c-4e8267bb592a:d5bb1928-4d0d-45d3-81d2-25a7f476c352pauline.delacruzhttps://community.appian.com/support/w/kb/3782/kb-2371-information-about-the-pac4j-jwt-security-vulnerability-cve-2026-29000#commentsCurrent Revision posted to Appian Knowledge Base by pauline.delacruz on 3/9/2026 3:06:48 PM<br /> <p><span style="font-weight:400;">On 05 March 2026, a critical vulnerability was </span><a href="https://www.codeant.ai/security-research/pac4j-jwt-authentication-bypass-public-key"><span style="font-weight:400;">discovered</span></a><span style="font-weight:400;"> related to the pac4j-jwt library that affects multiple versions of the security framework. Applications using affected versions of the JwtAuthenticator implementation may process maliciously crafted, encrypted JSON Web Tokens (JWE) in a way that allows an attacker to bypass authentication and gain unauthorized access to protected resources. Affected pac4j-jwt versions include 4.x (prior to 4.5.9), 5.x (prior to 5.7.9), and 6.x (prior to 6.3.3).</span></p> <p><span style="font-weight:400;">Appian has investigated this vulnerability and its services, and determined that it is not impacted, </span><span style="font-weight:400;">as pac4j-jwt is not utilized within the Appian Cloud environment or any of Appian&rsquo;s products. We will continue to monitor the situation and provide any updates as appropriate.</span></p> <h2><span style="font-weight:400;">Additional Notes:&nbsp;</span></h2> <p><span style="font-weight:400;">The following CVE was released with additional information on the scope of the vulnerability:</span></p> <p><a href="https://nvd.nist.gov/vuln/detail/CVE-2026-29000"><span style="font-weight:400;">CVE-2026-29000</span></a><span style="font-weight:400;"> - (pac4j-jwt JwtAuthenticator Authentication Bypass)</span></p> <h2><span style="font-weight:400;">Supporting Documentation:</span></h2> <ul> <li style="font-weight:400;"><span style="font-weight:400;"><a id="" href="https://www.codeant.ai/security-research/pac4j-jwt-authentication-bypass-public-key">https://www.codeant.ai/security-research/pac4j-jwt-authentication-bypass-public-key</a>&nbsp;</span></li> <li style="font-weight:400;"><a href="https://nvd.nist.gov/vuln/detail/CVE-2026-29000"><span style="font-weight:400;">https://nvd.nist.gov/vuln/detail/CVE-2026-29000</span></a></li> <li style="font-weight:400;"><a href="https://www.cve.org/CVERecord?id=CVE-2026-29000"><span style="font-weight:400;">https://www.cve.org/CVERecord?id=CVE-2026-29000</span></a></li> <li style="font-weight:400;"><span style="font-weight:400;"><a id="" href="https://www.pac4j.org/blog/security-advisory-pac4j-jwt-jwtauthenticator.html">https://www.pac4j.org/blog/security-advisory-pac4j-jwt-jwtauthenticator.html</a><a href="https://www.pac4j.org/blog/security-advisory-pac4j-jwt-jwtauthenticator.html"></a></span></li> </ul> <h2><span>Affected Versions</span></h2> <p><span>This article applies to all supported versions of Appian.</span></p> <p><span>Last reviewed:&nbsp;</span><span>March 9, 2026</span></p><div style="clear:both;"></div> <div style="font-size: 90%;">Tags: Security</div> https://community.appian.com/support/w/kb/3782/kb-2371-information-about-the-pac4j-jwt-security-vulnerability-cve-2026-29000/revision/1Mon, 09 Mar 2026 15:06:17 GMTd3a83456-d57b-489c-a84c-4e8267bb592a:d5bb1928-4d0d-45d3-81d2-25a7f476c352pauline.delacruzhttps://community.appian.com/support/w/kb/3782/kb-2371-information-about-the-pac4j-jwt-security-vulnerability-cve-2026-29000#commentsRevision 1 posted to Appian Knowledge Base by pauline.delacruz on 3/9/2026 3:06:17 PM<br /> <p><span style="font-weight:400;">On 05 March 2026, a critical vulnerability was </span><a href="https://www.codeant.ai/security-research/pac4j-jwt-authentication-bypass-public-key"><span style="font-weight:400;">discovered</span></a><span style="font-weight:400;"> related to the pac4j-jwt library that affects multiple versions of the security framework. Applications using affected versions of the JwtAuthenticator implementation may process maliciously crafted, encrypted JSON Web Tokens (JWE) in a way that allows an attacker to bypass authentication and gain unauthorized access to protected resources. Affected pac4j-jwt versions include 4.x (prior to 4.5.9), 5.x (prior to 5.7.9), and 6.x (prior to 6.3.3).</span></p> <p><span style="font-weight:400;">Appian has investigated this vulnerability and its services, and determined that it is not impacted, </span><span style="font-weight:400;">as pac4j-jwt is not utilized within the Appian Cloud environment or any of Appian&rsquo;s products. We will continue to monitor the situation and provide any updates as appropriate.</span></p> <h2><span style="font-weight:400;">Additional Notes:&nbsp;</span></h2> <p><span style="font-weight:400;">The following CVE was released with additional information on the scope of the vulnerability:</span></p> <p><a href="https://nvd.nist.gov/vuln/detail/CVE-2026-29000"><span style="font-weight:400;">CVE-2026-29000</span></a><span style="font-weight:400;"> - (pac4j-jwt JwtAuthenticator Authentication Bypass)</span></p> <h2><span style="font-weight:400;">Supporting Documentation:</span></h2> <ul> <li style="font-weight:400;"><span style="font-weight:400;">https://www.codeant.ai/security-research/pac4j-jwt-authentication-bypass-public-key</span></li> <li style="font-weight:400;"><a href="https://nvd.nist.gov/vuln/detail/CVE-2026-29000"><span style="font-weight:400;">https://nvd.nist.gov/vuln/detail/CVE-2026-29000</span></a></li> <li style="font-weight:400;"><a href="https://www.cve.org/CVERecord?id=CVE-2026-29000"><span style="font-weight:400;">https://www.cve.org/CVERecord?id=CVE-2026-29000</span></a></li> <li style="font-weight:400;"><span style="font-weight:400;"><a id="" href="https://www.pac4j.org/blog/security-advisory-pac4j-jwt-jwtauthenticator.html">https://www.pac4j.org/blog/security-advisory-pac4j-jwt-jwtauthenticator.html</a><a href="https://www.pac4j.org/blog/security-advisory-pac4j-jwt-jwtauthenticator.html"></a></span></li> </ul> <h2><span>Affected Versions</span></h2> <p><span>This article applies to all supported versions of Appian.</span></p> <p><span>Last reviewed:&nbsp;</span><span>March 9, 2026</span></p> <div style="clear:both;"></div>