CVE-2026-29000 is a CVSS 9.1 critical authentication bypass in pac4j-jwt, a widely used Java JWT authentication library, rooted in improper JWT signature verification (CWE-347). Unauthenticated attackers can fully bypass login controls in any application relying on this library, and Sonatype identified at least 18 additional dependent packages carrying transitive exposure. Active exploitation has not been widely observed (EPSS 25th percentile), but the severity and supply chain breadth make this an immediate inventory and patching priority; organizations should scan for direct and transitive pac4j-jwt dependencies, apply patches per the NVD record and Sonatype advisory, and review JWT validation logic in affected applications.