Our AI Code Review just found a CVSS 10.0 vulnerability. CVE-2026-29000 The highest possible severity. It had been sitting in pac4j, a widely used Java authentication library, for nearly 6 years. No static scanner found it. No human reviewer found it. Our AI code reviewer did. This was a full authentication bypass caused by a logic gap between the JWT spec and the implementation in pac4j-jwt. What this means: An attacker can craft a malicious token and log in as any user, even admin. no password no credentials no stolen session They only need the server’s RSA public key, which is public by design. Root cause: the library accepts a class of token that should never bypass signature verification. When it receives one, it skips the signature check entirely and builds an authenticated session from attacker-controlled claims. Full technical write-up working PoC below. We don’t publish random benchmark claims. We publish real world threats. This is one of 87 vulnerabilities we’ve found so far, including issues affecting packages with 500M weekly downloads. Kudos to @VulnCheckAI team for helping expedite the CVE assignment process.

We pentested 200 companies in last 3 months. - 3.6M PII records exposed at one - 6M passenger records at another - PHI leaking at a healthcare unicorn All passed their annual pentest Start free pentest from @CodeAntAI Don't be the next headline

@CodeAntAI is launching Agentic Pentest. Used by some of the world’s fastest-moving companies. We spent all of Q1 building this with design partners. This week, we’re letting our customers do the talking, starting with @monikkinom, CEO of @TomaAuto(AI for the automotive industry). Now we’re opening it to everyone. Here’s the deal: - Get free pentest - Full report in 24 hours - Low & medium issues? On us - Critical issue found? Pay only then We take the risk. You get the results. 👉 codeant(.)ai / pentesting

@CodeAntAI quietly put up some of the strongest numbers in our offline benchmark: top 3 across the board, and #2 on critical risk issues, medium/large PRs, and TypeScript. A lot of range. codereview.withmartian.com/?…

We've disclosed 84 zero-day vulnerabilities in the last 1.5 months. This is what we learned. Every security tool you use runs on the same backbone CVEs and the NVD database. Your tool pulls those CVEs, scans your code, and tells you if you're affected. That's it. That's the whole game. But there's no single authority enforcing when vulnerabilities get disclosed. Google says 90 days. Some says 120 days. And 67% of medium and low vulnerabilities aren't even reported as security issues, they are filed as performance fixes. Severity downgraded. Buried in changelogs. Attackers don't wait for CVEs. They don't care if it's disclosed or not. Offensive security is growing like crazy. If a vulnerability exists, someone will find it and weaponize it. Your app is exposed. Your dashboard shows green. We're going to change it!

2 weeks ago, I was debugging something @CodeAntAI code reviewer flagged. It flagged a regex issue in the simple-git repo. 12.4 million weekly downloads. The flag: "This regex guards a case-insensitive system using case-sensitive matching." I almost scrolled past it. I didn't. One hour later I had a working remote code execution POC ready. Here's the thing, simple-git had already fixed this. Twice. CVE-2022-25912. CVE-2022-25860. Both attempted to block the dangerous `ext::` Git protocol using a regex. - The regex used [a-z]. Case-sensitive. - Git config keys are case-insensitive. So protocol.allow=always → blocked. PROTOCOL.ALLOW=always → full remote code execution. The fix that shipped? One character. Adding '/i' to the regex flag. That's the entire diff. 73% of all simple-git installs, roughly 9 million downloads per week, are still running the vulnerable versions right now. The advisory hasn't hit NVD yet. Which means every scanner in your stack is currently blind to it. Snyk. SonarQube. Checkmarx. All blind. Not because they’re bad products. Because they rely on known CVEs. If the CVE doesn’t exist yet, the pattern doesn’t exist yet. This is CVE-2026-28292. CVSS 9.8 Critical. Five days before this, we disclosed CVE-2026-29000. CVSS 10.0. Authentication bypass in pac4j-jwt. Different ecosystem. Different vulnerability class. Rule-based scanners ask: "Does this match a known bad pattern?" AI code review asks: "Does this code do what it's supposed to do?" A case-sensitive regex guarding a case-insensitive syste, isn't a known pattern. It's a logic gap. A spec vs implementation mismatch. That's exactly what CodeAnt AI catches, and exactly what everything else misses. So far we've filed: - 100 vulnerabilities - Across npm, PyPI, Maven, NuGet - 1.85B monthly downloads affected Patch ≠ Fix. Massive respect to Steve (steveukx), 4 days from report to patch. Open-source maintainers are the unsung backbone of this entire industry. If you use simple-git: npm install simple-git@latest. Do it now. Full writeup in the comments. 👇

[Raw Video] On Saturday, Feb 28th, two of our engineers were running @CodeAntAI’s code reviewer against open-source packages. It stopped on pac4j-jwt. One of the most widely used Java authentication libraries in the world. The finding made them go silent. An attacker can log in as admin. As any user. With just the server's public key. The key that's designed to be public. No password. No secrets. No hacking. Nothing. Full authentication bypass. The root cause? A single bad null check. One misplaced null check meant the entire signature verification gets silently skipped. CVE-2026-29000. CVSS 10.0 🔥 We're doing responsible outreach to every affected project. There are a lot of them. We're also launching a free scanner where you can check your entire codebase to see if you're affected.

Yesterday we published CVE-2026-29000, a CVSS 10 authentication bypass in pac4j-jwt. An attacker with just the server's RSA public key can forge a JWT and log in as admin. No secrets needed. No user interaction. The key that's designed to be public is enough. That was the finding. Today we did something harder: we mapped the blast radius. We scanned every downstream dependent of pac4j-jwt across Maven Central, GitHub, and build files across the ecosystem. Here's what we found: → 1000 projects identified (just in opensource) → Including enterprise SSO servers used by universities and governments → Including health research infrastructure → Including national archival systems The two currently maintained CAS release branches, 7.2.x and 7.3.x are both affected. CAS is the SSO server used by hundreds of institutions worldwide. We're not publishing the list. That's a target menu. Instead we're privately notifying every affected maintainer this week, with the CVE details, the patched versions, and our steps-to-verify guide. Our job is to help them fix it, not to help attackers find them. 17 projects have already patched. CAS master branch has updated to 6.3.3. We'll publish the full patch adoption curve once maintainers have had time to respond.

225 Maven artifacts and 131 public GitHub repositories depend on pac4j-jwt, a library with a CVSS 10.0 authentication bypass (CVE-2026-29000), found by our AI code reviewer, that allows attackers to impersonate any user including admins using only the server's public key. We are right now reaching out to the maintainers ASAP to get this fixed.

@CodeAntAI's code reviewer just found a zero day security vulnerability, with a CVSS score of 10.0 (maximum) CVE-2026-29000. Published today. A complete authentication bypass in pac4j-jwt, one of the most widely used Java auth libraries. An attacker can craft a token and log in as any user, including admin. The only thing they need? The server's RSA public key. The one that's public by design. The root cause: the library trusts a type of token that the JWT spec technically allows but that should never bypass signature verification. When it receives one, it skips the entire signature check and builds a fully authenticated session from whatever the attacker put in the token. Not a human researcher. Not a pen tester. An AI code reviewer. We don't publish benchmarks. We publish CVEs. This is one of 87, zero day vulnerabilities we published, more dropping soon! Kudos to @VulnCheckAI for expediting the CVE assignment. @CVEnew

We just broke one of the most popular Java auth libraries with nothing but a public key. Full admin access. Zero credentials needed. No private key, no shared secret, just your public key to become admin. We reported it, worked with the maintainer, patched across 3 versions in 72 hours. Kudo to Jérôme Leleu, who moved incredibly fast on the disclosure. Full exploit and PoC ↓

Just landed in bangalore. Hosting 200 engineers & eng leaders in one room tonight, this is going to be fun!

We're in India for a week Delhi Dev Connect wrapped Bangalore next

Delhi 🤝 @CodeAntAI = 🔥 next one in Bangalore, 20th Jan - luma.com/7a8zcndk

2025: shipped fast, broke limits, and partied harder Goa with our APAC crew was unreal Love this team ❤️

We’re super excited to support @Commvault's 800 developers as they speed up code reviews, improve code health, and strengthen code quality & security with @CodeAntAI

Just closed a top 15 US public cybersecurity giant. They replaced SonarQube with @CodeAntAI, the case study drops next week.