How exploitable is a none JWT?

A recent penetration test has discovered that my org is using the JWT authentication scheme that allows the ‘none’ algorithm. How exploitable is this in the real world?

I understand that the issue can be used by an attacker to change the payload to another user and then ‘sign’ it using the none algorithm that would be accepted, however the only real payload information that could be enumerated is the subject and a random value.

Would an attacker be able to brute force the subject field and gain access to another person’s account? How realistic is this?