CVE-2026-0636
LDAP Injection in BC-JAVA bcprov LDAPStoreHelper Allows Data Manipulation
Publication date: 2026-04-15
Last updated on: 2026-04-15
Assigner: bcorg
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| legion_of_the_bouncy_castle_inc | bc-java | From 1.74 (inc) to 1.84 (exc) |
| legion_of_the_bouncy_castle_inc | bc-java | 1.84 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-90 | The product constructs all or part of an LDAP query using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended LDAP query when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-0636 is an LDAP Injection vulnerability found in the Bouncy Castle Java library versions 1.74 through 1.84. The issue exists in the LDAPStoreHelper.java class, which is part of the secondary API used for LDAP server interactions related to certificate processing.
The vulnerability arises because the implementation did not properly validate X.500 names of certificates, subjects, or issuers when these contained LDAP wildcards. This improper validation allowed LDAP wildcards to be processed unchecked, which could lead to LDAP injection attacks.
Exploitation requires explicit invocation of the vulnerable API with untrusted or unvetted certificates containing LDAP wildcards, potentially leading to information disclosure.
The issue was fixed in version 1.84 by refactoring the LDAP Distinguished Name parsing code into a single utility class that properly validates and escapes LDAP inputs, mitigating the injection risk.
How can this vulnerability impact me? :
This vulnerability can lead to LDAP injection attacks if the vulnerable API is used with untrusted or unvetted certificates containing LDAP wildcards.
An attacker could exploit this flaw to manipulate LDAP queries, potentially causing unauthorized information disclosure from the LDAP server.
Since the vulnerability affects certificate processing related to LDAP queries, it could compromise the integrity and confidentiality of certificate-related data retrieved via LDAP.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is an LDAP Injection issue in the Bouncy Castle Java library versions 1.74 through before 1.84, specifically in the LDAPStoreHelper class. Detection involves identifying usage of these vulnerable BC-JAVA versions in your environment, especially if LDAPStoreHelper or related LDAP certificate retrieval APIs are invoked.
Since the vulnerability requires explicit invocation of the vulnerable LDAP API, detection can focus on monitoring or scanning for usage of the affected classes or versions.
Suggested commands or approaches include:
- Check installed BC-JAVA library versions on your systems or applications: For example, in a Java environment, list the bcprov jar version by inspecting the jar manifest or filenames.
- Search your codebase or runtime environment for usage of LDAPStoreHelper or org.bouncycastle.x509 LDAP classes.
- Use network monitoring tools to detect suspicious LDAP queries that may contain unescaped LDAP wildcards or unusual filter patterns.
- If you have access to logs, grep for LDAP queries containing special characters like '*', '(', ')', or backslashes that are not properly escaped.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2026-0636 is an LDAP Injection vulnerability that could lead to information disclosure if the vulnerable API is used with untrusted or unvetted certificates. Such information disclosure risks can potentially impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access.
Because the vulnerability allows improper neutralization of LDAP query elements, it could be exploited to access or manipulate sensitive directory information, thereby violating confidentiality requirements mandated by these standards.
However, exploitation requires explicit invocation of the vulnerable API, and the issue was fixed in version 1.84 by properly validating LDAP inputs, which mitigates the risk.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade the Bouncy Castle Java library to version 1.84 or later, where the vulnerability has been fixed by refactoring and properly escaping LDAP Distinguished Name parsing and filter encoding.
If upgrading immediately is not possible, ensure that any use of the vulnerable LDAPStoreHelper or related LDAP APIs properly sanitizes and escapes LDAP inputs to prevent injection.
Review and restrict the use of untrusted or unvetted certificates that may contain LDAP wildcards, as exploitation requires such inputs.
Monitor LDAP queries for suspicious patterns and consider applying additional input validation or filtering at the application level.