CVE-2026-40459

EUVD-2026-23423
PAC4J is vulnerable to LDAP Injection in multiple methods. A low-privileged remote attacker can inject crafted LDAP syntax into ID-based search parameters, potentially resulting in unauthorized LDAP queries and arbitrary directory operations.

This issue was fixed in PAC4J versions 4.5.10, 5.7.10 and 6.4.1
LDAP Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
CERT-PLCNA
8.7 HIGH
NETWORK
LOW
LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
pac4jpac4j
4.0 ≤
𝑥
< 4.5.10
CNA
pac4jpac4j
5.0 ≤
𝑥
< 5.7.10
CNA
pac4jpac4j
6.0 ≤
𝑥
< 6.4.1
CNA
Common Weakness Enumeration
References
https://cert.pl/en/posts/2026/04/CVE-2026-40458/
https://www.pac4j.org/blog/security-advisory-pac4j-core-and-ldap.html