CVE-2026-29000 is a reported CVSS 10.0 authentication bypass in pac4j-jwt and 18 or more additional pac4j ecosystem packages, allowing unauthenticated attackers to bypass access controls on any protected resource. Affected version ranges have not yet been confirmed from authoritative sources and must be verified against the official pac4j advisory and NVD before scoping remediation. Organizations should perform an immediate Maven or Gradle dependency scan for all pac4j packages, monitor NVD and Sonatype for version range confirmation, and evaluate compensating controls such as WAF authentication enforcement for any internet-facing applications using pac4j while patching is planned.