The BigFix Team has developed a detection methodology for CVE-2026-29000. This approach uses a custom JAR file based on a fork of the Logpresso tool, following a similar process to our 2022 log4j response.
Detection Components
The following tools are available now to help identify vulnerable instances:
Analysis: A dedicated analysis is available to report detection results back to the BigFix console.
Support & Distribution
Community Supported: Please note that this solution is provided as best effort and community supported.
Support Coordination: Customers may also contact the Support team, who can share these files and provide guidance on the detection setup.
Support Coverage
I will be updating this thread with any further developments throughout the weekend. Please direct any customer questions or concerns to the Support team.
We have produce and digitally signed a build of the scanner utility, and hosted it at software.bigfix.com. The Task no longer requires manually caching the file download.
We expect to publish official content later in the day, but we welcome any feedback you can give on this interim solution in the meantime!
As with other full-filesystem scans such as Log4j or Spring Boot, please use this content with caution, and be sure to stagger your scans across systems especially if they are using shared storage infrastructure such as VMs or SANs. The scan actions generally cannot be throttled by Disk I/O and could introduce high disk usage while the scan is executing.
The Inventory team has published custom signatures to BigFix.me as well. These can be imported into BigFix Inventory to detect instances of the vulnerable pac4j-jwt, as well as newer instances that have been corrected already.
Detection through BigFix Inventory allows customers to perform detections while leveraging existing inclusion/exclusion and scan throttling configurations.