Author here. We built CodeAnt AI, an AI code reviewer that analyzes code the way a security researcher would, reasoning about what specs allow vs what code assumes. It flagged a logic gap in pac4j-jwt: a PlainJWT wrapped inside a JWE bypasses all signature verification. CVE-2026-29000, CVSS 10.0 published, full auth bypass as any user including admin. The only input required is the server's RSA public key, the one that's publicly available by design.
Patches shipped across three major version lines in two business days. Kudos to the maintainer Jérôme Leleu for exceptional handling, and patching it in 48 hours.
Full PoC in the writeup. Happy to answer technical questions.
Author here. We built CodeAnt AI, an AI code reviewer that analyzes code the way a security researcher would, reasoning about what specs allow vs what code assumes. It flagged a logic gap in pac4j-jwt: a PlainJWT wrapped inside a JWE bypasses all signature verification. CVE-2026-29000, CVSS 10.0 published, full auth bypass as any user including admin. The only input required is the server's RSA public key, the one that's publicly available by design.
Patches shipped across three major version lines in two business days. Kudos to the maintainer Jérôme Leleu for exceptional handling, and patching it in 48 hours.
Full PoC in the writeup. Happy to answer technical questions.