CVE-2026-40458
Received Received - Intake
CSRF Token Hash Collision in PAC4J Enables Unauthorized Actions

Publication date: 2026-04-17

Last updated on: 2026-04-20

Assigner: CERT.PL

Description
PAC4J is vulnerable to Cross-Site Request Forgery (CSRF). A malicious attacker can craft a specially designed website which, when visited by a user, will automatically submit a forged cross-site request with a token whose hash collides with the victim's legitimate CSRF token. Importantly, the attacker does not need to know the victim’s CSRF token or its hash prior to the attack. Collisions in the deterministic String.hashCode() function can be computed directly, reducing the effective token's security space to 32 bits. This bypasses CSRF protection, allowing profile updates, password changes, account linking, and any other state-changing operations to be performed without the victim's consent. This issue was fixed inΒ PAC4J versions 5.7.10 andΒ 6.4.1
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-17
Last Modified
2026-04-20
Generated
2026-06-16
AI Q&A
2026-04-17
EPSS Evaluated
2026-06-15
NVD
CVE-2026-40458
EUVD
EUVD-2026-23421
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
pac4j pac4j From 6.0.0 (exc) to 6.4.1 (exc)
pac4j pac4j From 5.0.0 (inc) to 5.7.10 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

PAC4J is vulnerable to a Cross-Site Request Forgery (CSRF) attack where an attacker can create a malicious website that automatically submits a forged request with a token whose hash collides with the victim's legitimate CSRF token.

The attacker does not need to know the victim's actual CSRF token or its hash beforehand because collisions in the deterministic String.hashCode() function can be computed directly, reducing the token's security to 32 bits.

This vulnerability bypasses CSRF protection, allowing unauthorized actions such as profile updates, password changes, account linking, and other state-changing operations without the victim's consent.

Impact Analysis

This vulnerability can allow attackers to perform unauthorized state-changing operations on behalf of a user without their consent.

  • Attackers can update user profiles.
  • Attackers can change user passwords.
  • Attackers can link accounts.
  • Any other operations that change the state of the user's account can be performed maliciously.
Mitigation Strategies

To mitigate this vulnerability, you should upgrade PAC4J to version 5.7.10 or later, or version 6.4.1 or later, where the issue has been fixed.

Compliance Impact

The vulnerability in PAC4J allows an attacker to bypass CSRF protection, enabling unauthorized state-changing operations such as profile updates, password changes, and account linking without the victim's consent.

Such unauthorized actions could lead to violations of data protection and privacy regulations like GDPR and HIPAA, as they compromise the integrity and security of user data and user consent mechanisms.

However, the provided information does not explicitly discuss the impact of this vulnerability on compliance with these standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40458. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart