pac4j CVE-2026-29000: Public Key Forges JWTs Pre-Auth

◆ DEEP DIVES

1. 01

   Three Security Vulnerabilities You Must Address This Week — One Is Already Being Exploited

   <h3>CVE-2026-29000: pac4j JWT Forgery via Public RSA Keys</h3><p>This is <strong>maximum-severity</strong>, pre-authentication, internet-facing, and has a <strong>public proof-of-concept</strong>. The pac4j Java security library accepts JWTs signed with HS256 using the public RSA key as the HMAC secret when it should only accept RS256 signatures verified against that public key. This is a well-known algorithm confusion vulnerability class (see Auth0's 2015 advisory), but the fact it's appearing in a widely-used library integrated into hundreds of packages in 2026 is alarming. The patches shipped within two days, which is commendable — but the <strong>real risk window is right now</strong>, between PoC publication and widespread patching.</p><blockquote>If pac4j is three layers deep in your dependency graph behind a framework adapter, you might not even know you're affected. This is precisely the scenario where SBOM generation pays for itself.</blockquote><p>Run <code>mvn dependency:tree -Dincludes=org.pac4j</code> and equivalent Gradle commands. Check fat JARs and shaded dependencies where the package name may be relocated.</p><hr><h3>MCP Authorization Is Broken by Design — Not by Implementation</h3><p>Doyensec published a comprehensive attack surface map of MCP's OAuth 2.0 and JAG (Identity Assertion JWT Authorization Grant) model. Four structural flaws make production MCP deployments provably insecure:</p><ol><li><strong>No token revocation path</strong> for misbehaving agents — compromised agents retain access until token expiry</li><li><strong>LLM-driven scope escalation</strong> without user consent — the scope negotiation layer is LLM-influenceable</li><li><strong>Undefined client credential issuance</strong> enabling namespace collision and resource identifier injection</li><li><strong>ID-JAG replay</strong> amplifies blast radius across multiple MCP access tokens</li></ol><p>Confirmed CVEs already exist: CVE-2025-53100 and CVE-2025-53818 for command injection, CVE-2025-4144 and CVE-2025-4143 for SSO metadata manipulation. DNS rebinding against unauthenticated localhost WebSocket servers rounds out the attack surface. These aren't bugs to patch — they're <strong>design gaps in a spec being deployed to production today</strong>.</p><hr><h3>Copilot Agent Weaponized as Zero-Click Exfil Channel</h3><p><strong>CVE-2026-26144</strong> turns Microsoft's Copilot Agent into a data exfiltration tool via an Excel information-disclosure flaw. The attack requires zero user interaction. The blast radius is everything the Copilot Agent can read — which, by design, is broad. This is the <strong>'confused deputy' problem</strong> applied to AI assistants: a traditional flaw lets an attacker hijack the agent's execution context, and the agent's ambient permissions amplify the damage.</p><p>Two additional Office RCEs (CVE-2026-26110, CVE-2026-26113) are exploitable through the <strong>preview pane alone</strong> — a malicious document in your inbox or shared Teams channel executes code before anyone deliberately opens it. Automated document processing pipelines are also attack surfaces.</p><blockquote>Every organization rolling out AI copilots needs to treat the agent's permission model as a security-critical architecture decision, not an IT configuration checkbox.</blockquote>

   Action items

   • Run transitive dependency scan for pac4j across all Java services and apply patches for CVE-2026-29000 today
   • Apply March 2026 Patch Tuesday with priority on CVE-2026-26144 (Copilot exfil), CVE-2026-26110 and CVE-2026-26113 (Office preview pane RCE) by end of week
   • Implement compensating MCP authorization controls this sprint: mTLS between agents and MCP servers, per-tool resource namespacing, centralized token revocation, and explicit user consent gates for high-risk tool invocations
   • Audit Copilot Agent permission scoping — agents should not have ambient read access to all documents a user can access
   • Keep SBOM generation in CI/CD even though federal requirements were rescinded this week — use it for sub-hour CVE enumeration

   Sources:pac4j JWT forgery via public RSA keys (CVE-2026-29000) · MCP auth has 4 unfixable design flaws + a missing `await` on bcrypt caused a universal auth bypass in Rocket.Chat · Amazon's AI-code outages just changed your review process

2. 02

   Vimeo's 3-Phase LLM Pipeline Is Your New Reference Architecture for Structured Output

   <h3>The Core Problem: One Prompt, Two Competing Objectives</h3><p>When you ask GPT-4 to translate four lines of English filler words into Japanese, it produces one clean sentence — <strong>linguistically correct, structurally catastrophic</strong> for a subtitle system expecting exactly four timed slots. The screen goes blank for three time windows. Vimeo calls this 'the blank screen bug,' but the same class of failure hits any system piping LLM output into rigid schemas: JSON APIs, database records, form fields, code templates.</p><p>Research by Tam et al. (2024) confirms this is fundamental, not a prompt engineering problem: <strong>format constraints measurably degrade LLM reasoning quality</strong>. The more structural rules you pack into a prompt, the worse the creative output gets.</p><hr><h3>The Architecture: Separation of Concerns Applied to Prompts</h3><p>Vimeo's pipeline splits into three phases, each optimizing for a single objective:</p><ol><li><strong>Smart Chunking (pre-processing)</strong>: Group source lines into 3-5 line thought blocks at sentence boundaries. This gives the LLM complete semantic units without drowning it in full-transcript context, which triggers hallucination.</li><li><strong>Creative Translation</strong>: Send each chunk with <strong>zero structural constraints</strong>. No line counts, no formatting, just 'produce the best possible translation.'</li><li><strong>Line Mapping (separate LLM call)</strong>: Take the translated block and break it into exactly N lines matching source rhythm. Pure structural task.</li></ol><blockquote>Separation of concerns — the oldest principle in software engineering — is the highest-leverage pattern for production LLM pipelines.</blockquote><hr><h3>The Fallback Chain: 100% Valid Output Guaranteed</h3><p>The 95% first-pass success rate isn't good enough for production. The remaining 5% enters a <strong>graduated fallback chain</strong>:</p><table><thead><tr><th>Stage</th><th>Method</th><th>Resolution Rate</th></tr></thead><tbody><tr><td>Primary</td><td>3-phase pipeline</td><td>~95%</td></tr><tr><td>Correction Loop</td><td>Tell LLM exactly what went wrong</td><td>~32% of remaining</td></tr><tr><td>Simplified Prompt</td><td>Bare-bones line splitting</td><td>Most remaining</td></tr><tr><td>Deterministic Rules</td><td>Pad/truncate/fill algorithmically</td><td>100% (degraded quality)</td></tr></tbody></table><p>The correction loop datapoint is concrete: <strong>LLM self-correction works when the model knows what went wrong, resolving ~32% of failures</strong>. Quality degrades gracefully through the chain, but nothing ever breaks. The cost: <strong>4-8% more latency, 6-10% more tokens</strong> — eliminating roughly 20 hours of manual QA per 1,000 videos.</p><hr><h3>Cross-Language Quality as a Production Concern</h3><p>Vimeo acknowledges that structurally divergent languages (Japanese, Korean) disproportionately hit degraded fallback paths compared to Romance languages. This is an honest documentation of a real production trade-off. They made an explicit product decision: <strong>repeated subtitle text is better than blank screens</strong>. That kind of trade-off documentation distinguishes engineering maturity from 'we threw an LLM at it.'</p><blockquote>If your architecture diagram shows a single arrow from 'user input' to 'LLM' to 'output,' you're building demo-ware. The real system is the pipeline around the model.</blockquote>

   Action items

   • Audit existing LLM integrations for multi-objective prompts that ask for both quality AND structural compliance in a single call; refactor the highest-failure-rate one into separate generation and formatting phases this sprint
   • Implement a graduated fallback chain for your most critical LLM-powered feature: primary LLM → correction loop with error feedback → simplified LLM → deterministic fallback
   • Prototype a validation-and-retry loop that feeds specific validation errors back to the model as correction context
   • Review chunking strategy for long-document LLM processing — test 3-5 logical-unit chunks with sentence boundary detection

   Sources:Your LLM structured output breaks in production for the same reason Vimeo's subtitles went blank

3. 03

   The Bottleneck Isn't Your Model — It's Everything Upstream of Code

   <h3>The Data: AI Adoption Hit 95%, But the Constraint Moved</h3><p>A 340-person industry survey provides the numbers your instinct already knew. <strong>35% of teams cite unclear/changing specs as their top slowdown</strong> — 2× the rate of QA (16%). Only 8% of engineers say tickets give them everything they need. AI adoption is near-universal (95%), but it's almost entirely applied to code production while the constraint has shifted upstream.</p><p>The asymmetry is telling: 35% understand the <em>problem</em> but not the <em>success criteria</em>, while only 13% have the inverse. <strong>Your PMs are communicating what to build but failing to specify what done looks like.</strong></p><hr><h3>52% of Teams Have Zero Shared AI Context</h3><p>This is the most technically actionable finding. Over half of engineering teams have <strong>no shared infrastructure for AI context</strong> — no AGENTS.md, no CLAUDE.md, no Cursor Rules. Each developer individually decides what context, conventions, and architectural constraints to communicate to AI tools. This is the distributed systems equivalent of running every service with a different config file.</p><p>Only 29% use shared repo files. Only <strong>3% intentionally organize existing docs for AI consumption</strong>. Yet 48% of documentation site visitors are now AI agents according to Mintlify data. Your documentation is becoming a machine-to-machine interface whether you planned for it or not.</p><blockquote>Treat AI context as a code artifact. Put it in the repo. Review it in PRs. Keep it updated alongside the code it describes.</blockquote><hr><h3>Yegge's 500K LOC Ceiling Changes Decomposition Calculus</h3><p>Steve Yegge puts a <strong>hard constraint on AI agent effectiveness: ~500K to a few million lines of code</strong>. Beyond that, agents can't fit enough context to be useful. This is a concrete, measurable threshold that reframes decomposition from a team autonomy argument into an AI productivity blocker.</p><p>Multiple sources confirm the convergence: AI agents <strong>amplify messy codebases</strong> rather than coping with them. Practices historically treated as aspirational — 100% test coverage, small well-scoped files, end-to-end types, fast ephemeral dev environments — are now <strong>functional prerequisites</strong> for effective AI-assisted development. Previously, cleaning up tech debt was about long-term maintainability. Now it determines whether your team can use AI tools at all.</p><p>Yegge separately claims orchestration, not model intelligence, is the bottleneck (citing Opus 4.5 as 'good enough'). His 'Dracula Effect' insight is underrated: AI eliminates easy tasks, <strong>concentrating engineers on pure high-intensity cognition</strong> — sustainable for roughly 3 hours/day at dramatically higher output. Sprint planning models built around 5-6 productive hours need recalibration.</p><hr><h3>Knowledge Management Is Now AI Context Infrastructure</h3><p><strong>64% of teams store critical knowledge in people's heads</strong>. Only 20% use ADRs. When a senior engineer leaves with the understanding of why the payment service uses event sourcing, that's not just an onboarding problem — it's an AI context problem. The AI will suggest CRUD patterns because <em>nobody documented the decision</em>.</p><p>Only 9% of teams use AI for requirements generation — the single highest-leverage underutilized AI application in the survey. A structured prompt that takes a ticket description and returns missing acceptance criteria, edge cases, and dependency questions could directly attack the 59% mid-cycle discovery rate.</p>

   Action items

   • Create CLAUDE.md / AGENTS.md / Cursor Rules files in your 3 highest-activity repos this week, encoding architectural decisions, domain model definitions, coding conventions, and known constraints
   • Audit your largest codebases against Yegge's ~500K LOC agent ceiling — identify services exceeding this threshold and create a decomposition roadmap explicitly citing AI-assisted development as the forcing function
   • Add structured acceptance criteria and edge case enumeration as a hard gate in your ticket workflow — prototype an AI-generated 'what's missing' checklist before tickets enter sprint
   • Advocate for explicit AI experimentation time — minimum 10% of engineering capacity — in your next planning cycle

   Sources:Your AI tooling ROI is capped by your specs, not your models · Your monolith is now an AI adoption blocker · Cline's npm got popped via prompt injection · Gemini Embedding 2 unifies text/video/audio in one vector space