CVE 8.7 HIGH

LDAP Injection in PAC4J_CVE-2026-40459

April 17, 2026 invoker category_cve

8.7 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Description

PAC4J is vulnerable to LDAP Injection in multiple methods. A low-privileged remote attacker can inject crafted LDAP syntax into ID-based search parameters, potentially resulting in unauthorized LDAP queries and arbitrary directory operations.

This issue was fixed in PAC4J versions 4.5.10, 5.7.10 and 6.4.1

AI Analysis

LDAP Injection vulnerability in PAC4J, allowing low-privileged attackers to inject crafted LDAP syntax and potentially execute unauthorized LDAP queries and directory operations.

Basic Information

ID CVE-2026-40459

Source CERT-PL

Published Apr 17, 2026 at 13:18

Affected Product

Vendor PAC4J

Product PAC4J

Version 4.0

Affected Versions PAC4J PAC4J 4.0
PAC4J PAC4J 5.0
PAC4J PAC4J 6.0

CWE Classification

CWE-90

AI Assessment

AI Score 8.7 / 10

AI Severity High

Vendor PAC4J

Product PAC4J

Version 4.0, 5.0, 6.0

References

{
    "lastseen": "",
    "description": "PAC4J is vulnerable to LDAP Injection in multiple methods. A low-privileged remote attacker can inject crafted LDAP syntax into ID-based search parameters, potentially resulting in unauthorized LDAP queries and arbitrary directory operations.\n\nThis issue was fixed in PAC4J versions 4.5.10, 5.7.10 and 6.4.1",
    "published": "2026-04-17T13:18:39.181Z",
    "modified": "2026-04-17T13:18:39.181Z",
    "type": "cve",
    "title": "LDAP Injection in PAC4J",
    "source": "CERT-PL",
    "references": "https://cert.pl/en/posts/2026/04/CVE-2026-40458/\nhttps://www.pac4j.org/blog/security-advisory-pac4j-core-and-ldap.html",
    "id": "CVE-2026-40459",
    "bulletinFamily": "",
    "cwe": [
        "CWE-90"
    ],
    "cvelist": null,
    "sourceData": "PAC4J PAC4J 4.0\nPAC4J PAC4J 5.0\nPAC4J PAC4J 6.0",
    "sourceHref": "",
    "cvss": {
        "score": 8.7,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "PAC4J",
    "version": "4.0",
    "vendor": "PAC4J",
    "ai_description": "LDAP Injection vulnerability in PAC4J, allowing low-privileged attackers to inject crafted LDAP syntax and potentially execute unauthorized LDAP queries and directory operations.",
    "ai_severity": "High",
    "ai_vendor": "PAC4J",
    "ai_product": "PAC4J",
    "ai_version": "4.0, 5.0, 6.0",
    "ai_score": 8.7
}

💭 Join the Security Discussion ❌ Cancel Reply