CVE-2026-0636
Received Received - Intake
LDAP Injection in BC-JAVA bcprov LDAPStoreHelper Allows Data Manipulation

Publication date: 2026-04-15

Last updated on: 2026-05-19

Assigner: bcorg

Description
Improper neutralization of special elements used in an LDAP query ('LDAP injection') vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcprov on all (prov modules). This vulnerability is associated with program files LDAPStoreHelper. This issue affects BC-JAVA: from 1.74 before 1.80.2, from 1.81 before 1.81.1, from 1.82 before 1.84.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-15
Last Modified
2026-05-19
Generated
2026-06-16
AI Q&A
2026-04-15
EPSS Evaluated
2026-06-14
NVD
CVE-2026-0636
EUVD
EUVD-2026-22849
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
legion_of_the_bouncy_castle_inc bc-java From 1.74 (inc) to 1.84 (exc)
legion_of_the_bouncy_castle_inc bc-java 1.84
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-90 The product constructs all or part of an LDAP query using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended LDAP query when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

CVE-2026-0636 is an LDAP Injection vulnerability that could lead to information disclosure if the vulnerable API is used with untrusted or unvetted certificates. Such information disclosure risks can potentially impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access.

Because the vulnerability allows improper neutralization of LDAP query elements, it could be exploited to access or manipulate sensitive directory information, thereby violating confidentiality requirements mandated by these standards.

However, exploitation requires explicit invocation of the vulnerable API, and the issue was fixed in version 1.84 by properly validating LDAP inputs, which mitigates the risk.

Executive Summary

CVE-2026-0636 is an LDAP Injection vulnerability found in the Bouncy Castle Java library versions 1.74 through 1.84. The issue exists in the LDAPStoreHelper.java class, which is part of the secondary API used for LDAP server interactions related to certificate processing.

The vulnerability arises because the implementation did not properly validate X.500 names of certificates, subjects, or issuers when these contained LDAP wildcards. This improper validation allowed LDAP wildcards to be processed unchecked, which could lead to LDAP injection attacks.

Exploitation requires explicit invocation of the vulnerable API with untrusted or unvetted certificates containing LDAP wildcards, potentially leading to information disclosure.

The issue was fixed in version 1.84 by refactoring the LDAP Distinguished Name parsing code into a single utility class that properly validates and escapes LDAP inputs, mitigating the injection risk.

Impact Analysis

This vulnerability can lead to LDAP injection attacks if the vulnerable API is used with untrusted or unvetted certificates containing LDAP wildcards.

An attacker could exploit this flaw to manipulate LDAP queries, potentially causing unauthorized information disclosure from the LDAP server.

Since the vulnerability affects certificate processing related to LDAP queries, it could compromise the integrity and confidentiality of certificate-related data retrieved via LDAP.

Detection Guidance

This vulnerability is an LDAP Injection issue in the Bouncy Castle Java library versions 1.74 through before 1.84, specifically in the LDAPStoreHelper class. Detection involves identifying usage of these vulnerable BC-JAVA versions in your environment, especially if LDAPStoreHelper or related LDAP certificate retrieval APIs are invoked.

Since the vulnerability requires explicit invocation of the vulnerable LDAP API, detection can focus on monitoring or scanning for usage of the affected classes or versions.

Suggested commands or approaches include:

  • Check installed BC-JAVA library versions on your systems or applications: For example, in a Java environment, list the bcprov jar version by inspecting the jar manifest or filenames.
  • Search your codebase or runtime environment for usage of LDAPStoreHelper or org.bouncycastle.x509 LDAP classes.
  • Use network monitoring tools to detect suspicious LDAP queries that may contain unescaped LDAP wildcards or unusual filter patterns.
  • If you have access to logs, grep for LDAP queries containing special characters like '*', '(', ')', or backslashes that are not properly escaped.
Mitigation Strategies

The primary mitigation step is to upgrade the Bouncy Castle Java library to version 1.84 or later, where the vulnerability has been fixed by refactoring and properly escaping LDAP Distinguished Name parsing and filter encoding.

If upgrading immediately is not possible, ensure that any use of the vulnerable LDAPStoreHelper or related LDAP APIs properly sanitizes and escapes LDAP inputs to prevent injection.

Review and restrict the use of untrusted or unvetted certificates that may contain LDAP wildcards, as exploitation requires such inputs.

Monitor LDAP queries for suspicious patterns and consider applying additional input validation or filtering at the application level.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-0636. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart