diff --git a/apps/emqx_auth_jwt/src/emqx_auth_jwt.appup.src b/apps/emqx_auth_jwt/src/emqx_auth_jwt.appup.src
index 7ee2349c3..4691f096e 100644
--- a/apps/emqx_auth_jwt/src/emqx_auth_jwt.appup.src
+++ b/apps/emqx_auth_jwt/src/emqx_auth_jwt.appup.src
@@ -2,31 +2,13 @@
 %% Unless you know what you are doing, DO NOT edit manually!!
 {VSN,
   [{"4.3.7",[{load_module,emqx_auth_jwt,brutal_purge,soft_purge,[]}]},
-   {"4.3.6",
-    [{load_module,emqx_auth_jwt,brutal_purge,soft_purge,[]},
-     {load_module,emqx_auth_jwt_svr,brutal_purge,soft_purge,[]}]},
-   {"4.3.5",
-    [{load_module,emqx_auth_jwt,brutal_purge,soft_purge,[]},
-     {load_module,emqx_auth_jwt_svr,brutal_purge,soft_purge,[]}]},
-   {"4.3.4",
-    [{load_module,emqx_auth_jwt,brutal_purge,soft_purge,[]},
-     {load_module,emqx_auth_jwt_svr,brutal_purge,soft_purge,[]}]},
-   {"4.3.3",
+   {<<"4\\.3\\.[3-6]">>,
     [{load_module,emqx_auth_jwt,brutal_purge,soft_purge,[]},
      {load_module,emqx_auth_jwt_svr,brutal_purge,soft_purge,[]}]},
    {<<"4\\.3\\.[0-2]">>,[{restart_application,emqx_auth_jwt}]},
    {<<".*">>,[]}],
   [{"4.3.7",[{load_module,emqx_auth_jwt,brutal_purge,soft_purge,[]}]},
-   {"4.3.6",
-    [{load_module,emqx_auth_jwt,brutal_purge,soft_purge,[]},
-     {load_module,emqx_auth_jwt_svr,brutal_purge,soft_purge,[]}]},
-   {"4.3.5",
-    [{load_module,emqx_auth_jwt,brutal_purge,soft_purge,[]},
-     {load_module,emqx_auth_jwt_svr,brutal_purge,soft_purge,[]}]},
-   {"4.3.4",
-    [{load_module,emqx_auth_jwt,brutal_purge,soft_purge,[]},
-     {load_module,emqx_auth_jwt_svr,brutal_purge,soft_purge,[]}]},
-   {"4.3.3",
+   {<<"4\\.3\\.[3-6]">>,
     [{load_module,emqx_auth_jwt,brutal_purge,soft_purge,[]},
      {load_module,emqx_auth_jwt_svr,brutal_purge,soft_purge,[]}]},
    {<<"4\\.3\\.[0-2]">>,[{restart_application,emqx_auth_jwt}]},
diff --git a/apps/emqx_auth_jwt/src/emqx_auth_jwt.erl b/apps/emqx_auth_jwt/src/emqx_auth_jwt.erl
index 0b3f17b04..623fa25c5 100644
--- a/apps/emqx_auth_jwt/src/emqx_auth_jwt.erl
+++ b/apps/emqx_auth_jwt/src/emqx_auth_jwt.erl
@@ -109,11 +109,20 @@ string_to_number(_) ->
 %% Verify Claims
 %%--------------------------------------------------------------------
 
-verify_acl(ClientInfo, #{<<"sub">> := SubTopics}, subscribe, Topic) when is_list(SubTopics) ->
-    verify_acl(ClientInfo, SubTopics, Topic);
-verify_acl(ClientInfo, #{<<"pub">> := PubTopics}, publish, Topic) when is_list(PubTopics) ->
-    verify_acl(ClientInfo, PubTopics, Topic);
-verify_acl(_ClientInfo, _Acl, _PubSub, _Topic) -> {stop, deny}.
+verify_acl(ClientInfo, Acl, PubSub, Topic) ->
+    Key = case PubSub of
+              subscribe -> <<"sub">>;
+              publish -> <<"pub">>
+          end,
+    Rules0 = lists:map(
+               fun(K) ->
+                       case maps:get(K, Acl, undefined) of
+                           R when is_list(R) -> R;
+                           _ -> []
+                       end
+               end, [<<"all">>, Key]),
+    Rules = lists:append(Rules0),
+    verify_acl(ClientInfo, Rules, Topic).
 
 verify_acl(_ClientInfo, [], _Topic) -> {stop, deny};
 verify_acl(ClientInfo, [AclTopic | AclTopics], Topic) ->
diff --git a/apps/emqx_auth_jwt/test/emqx_auth_jwt_SUITE.erl b/apps/emqx_auth_jwt/test/emqx_auth_jwt_SUITE.erl
index 62f753904..7452091bd 100644
--- a/apps/emqx_auth_jwt/test/emqx_auth_jwt_SUITE.erl
+++ b/apps/emqx_auth_jwt/test/emqx_auth_jwt_SUITE.erl
@@ -297,7 +297,8 @@ t_check_jwt_acl(_Config) ->
                 {username, <<"plain">>},
                 {sub, value},
                 {acl, [{sub, [<<"a/b">>]},
-                       {pub, [<<"c/d">>]}]},
+                       {pub, [<<"c/d">>]},
+                       {all, [<<"all">>]}]},
                 {exp, erlang:system_time(seconds) + 10}],
                <<"HS256">>,
                <<"emqxsecret">>),
@@ -329,6 +330,19 @@ t_check_jwt_acl(_Config) ->
     after 100 -> ok
     end,
 
+    %% can pub/sub to all rules
+    ?assertMatch(
+      {ok, #{}, [0]},
+      emqtt:subscribe(C, <<"all">>, 0)),
+
+    ?assertMatch(
+      ok,
+      emqtt:publish(C, <<"all">>, <<"hi">>, 0)),
+    receive
+        {publish, #{topic := <<"all">>}} -> ok
+    after 2000 ->
+              ?assert(false, "Publish to `all` should be allowed")
+    end,
     ok = emqtt:disconnect(C).
 
 t_check_jwt_acl_no_recs(init, _Config) ->
diff --git a/changes/v4.3.22-en.md b/changes/v4.3.22-en.md
index db76d3423..2bf731b8c 100644
--- a/changes/v4.3.22-en.md
+++ b/changes/v4.3.22-en.md
@@ -3,6 +3,8 @@
 - Add a warning log if the ACL check failed for subscription [#9124](https://github.com/emqx/emqx/pull/9124).
   This is to make the ACL deny logging for subscription behave the same as for publish.
 
+- JWT ACL claim supports `all` action to imply the rules applie to both `pub` and `sub` [#9044](https://github.com/emqx/emqx/pull/9044).
+
 ### Bug fixes
 
 - Improve the display of rule's 'Maximum Speed' counter to only reserve 2 decimal places. [#9185](https://github.com/emqx/emqx/pull/9185)
diff --git a/changes/v4.3.22-zh.md b/changes/v4.3.22-zh.md
index e7d343db0..065fa6419 100644
--- a/changes/v4.3.22-zh.md
+++ b/changes/v4.3.22-zh.md
@@ -3,6 +3,8 @@
 - 订阅时，如果 ACL 检查不通过，打印一个警告日志 [#9124](https://github.com/emqx/emqx/pull/9124)。
   该行为的改变主要是为了跟发布失败时的行为保持一致。
 
+- 基于 JWT 的 ACL 支持 `all` 动作，指定同时适用于 `pub` 和 `sub` 两个动作的规则列表 [#9044](https://github.com/emqx/emqx/pull/9044)。
+
 ### 修复
 
 - 改进规则的 "最大执行速度" 的计数，只保留小数点之后 2 位 [#9185](https://github.com/emqx/emqx/pull/9185)