HTB · Medium
HTB Principal: JWT Authentication Bypass to SSH CA Key Forgery
A Java web app using pac4j-jwt/6.0.3 is vulnerable to CVE-2026-29000, allowing JWT authentication bypass via JWE token forgery. API enumeration as admin leaks an SSH deployment key. With user access, a readable SSH CA private key enables forging a root certificate for privilege escalation.
