CVE-2026-40459
LDAP Injection in PAC4J Allows Unauthorized Directory Operations
Publication date: 2026-04-17
Last updated on: 2026-04-20
Assigner: CERT.PL
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pac4j | pac4j | From 4.0.0 (inc) to 4.5.10 (exc) |
| pac4j | pac4j | From 5.0.0 (inc) to 5.7.10 (exc) |
| pac4j | pac4j | From 6.0.0 (inc) to 6.4.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-90 | The product constructs all or part of an LDAP query using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended LDAP query when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
PAC4J is vulnerable to LDAP Injection in multiple methods. This means that a low-privileged remote attacker can inject specially crafted LDAP syntax into ID-based search parameters. As a result, the attacker may be able to perform unauthorized LDAP queries and execute arbitrary directory operations.
How can this vulnerability impact me? :
This vulnerability can allow an attacker with low privileges to perform unauthorized LDAP queries and arbitrary directory operations. This could lead to unauthorized access to sensitive directory information, modification or deletion of directory data, and potentially compromise the security and integrity of the system relying on PAC4J.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this LDAP Injection vulnerability in PAC4J, you should upgrade PAC4J to one of the fixed versions: 4.5.10, 5.7.10, or 6.4.1.