fix(security): upgrade pac4j-jwt to 4.5.9 for CVE-2026-29000

abhu85 · abhu85 · commit 768e5e5b0440 · 2026-03-14T12:30:44.000-05:00
Upgrade pac4j from 4.0.0 to 4.5.9 to address CVE-2026-29000, a critical authentication bypass vulnerability (CVSS 9.1) in pac4j-jwt. The vulnerability allows attackers with access to the server's RSA public key to forge authentication tokens by wrapping a PlainJWT in JWE, effectively bypassing signature verification and authenticating as any user, including administrators. This is particularly critical for healthcare applications like WebAPI that handle sensitive patient data. Reference: https://nvd.nist.gov/vuln/detail/CVE-2026-29000
diff --git a/pom.xml b/pom.xml
@@ -32,7 +32,7 @@
     <jersey.version>2.14</jersey.version>
     <SqlRender.version>1.19.1</SqlRender.version>
     <hive-jdbc.version>3.1.2</hive-jdbc.version>
-    <pac4j.version>4.0.0</pac4j.version>
+    <pac4j.version>4.5.9</pac4j.version>
     <jackson.version>2.12.7</jackson.version>
     <start-class>org.ohdsi.webapi.WebApi</start-class>
     <skipUnitTests>false</skipUnitTests>
