CVE-2026-40459

Summary

PAC4J is vulnerable to LDAP Injection in multiple methods. A low-privileged remote attacker can inject crafted LDAP syntax into ID-based search parameters, potentially resulting in unauthorized LDAP queries and arbitrary directory operations.

This issue was fixed in PAC4J versions 4.5.10, 5.7.10 and 6.4.1

Affected Software

VendorProductVersion RangeStatus
PAC4JPAC4J4.0 < 4.5.10affected
PAC4JPAC4J5.0 < 5.7.10affected
PAC4JPAC4J6.0 < 6.4.1affected

Weaknesses

  • CWE-90: CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References