Description
Improper neutralization of special elements used in an LDAP query ('LDAP injection') vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcprov on all (prov modules). This vulnerability is associated with program files LDAPStoreHelper.

This issue affects BC-JAVA: from 1.74 before 1.84.
Published: 2026-04-15
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: LDAP Injection
Action: Immediate Patch
AI Analysis

Impact

Improper neutralization of special elements in LDAP queries in Bouncy Castle’s BC-JAVA bcprov library can allow an attacker to inject arbitrary LDAP filter syntax via LDAPStoreHelper. This LDAP injection flaw may enable unauthorized reading or modification of directory entries, potentially exposing sensitive data or undermining authentication processes. The weakness is identified as CWE-90.

Affected Systems

Legion of the Bouncy Castle Inc. provides the BC-JAVA bcprov component in its prov modules. Versions from 1.74 before 1.84 are affected. The issue applies to all bcprov modules that use LDAPStoreHelper.java.

Risk and Exploitability

The vulnerability carries a CVSS score of 5.5, indicating moderate impact. EPSS data is unavailable, so the exploitation probability cannot be quantified. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw remotely by supplying crafted input to the LDAP query construction within any application that incorporates the affected Bouncy Castle library, making it a moderate-risk, attack-vector-indirect risk.

Generated by OpenCVE AI on April 15, 2026 at 11:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to BC-JAVA version 1.84 or newer, which contains the patch for LDAP injection in LDAPStoreHelper.java.
  • If an upgrade is not immediately possible, ensure that all user-controlled data passed to LDAPStoreHelper is properly escaped or sanitised using Bouncy Castle’s provided escaping utilities before inclusion in the LDAP filter.
  • Perform a code review of all LDAP query construction points in the application to confirm that no unsanitised user input can reach the LDAPStoreHelper class.

Generated by OpenCVE AI on April 15, 2026 at 11:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Bouncycastle
Bouncycastle bc-java
Vendors & Products Bouncycastle
Bouncycastle bc-java

Wed, 15 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 15 Apr 2026 10:00:00 +0000

Type Values Removed Values Added
Description Improper neutralization of special elements used in an LDAP query ('LDAP injection') vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcprov on all (prov modules). LDAP Injection Vulnerability in LDAPStoreHelper.java This issue affects BC-JAVA: from 1.49 before 1.84. Improper neutralization of special elements used in an LDAP query ('LDAP injection') vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcprov on all (prov modules). This vulnerability is associated with program files LDAPStoreHelper. This issue affects BC-JAVA: from 1.74 before 1.84.
References
Metrics cvssV4_0

{'score': 10, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

 cvssV4_0

{'score': 5.5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/S:N/AU:Y/R:A/RE:M/U:Amber'}

Wed, 15 Apr 2026 09:30:00 +0000

Type Values Removed Values Added
Description Improper neutralization of special elements used in an LDAP query ('LDAP injection') vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcprov on all (prov modules). LDAP Injection Vulnerability in LDAPStoreHelper.java This issue affects BC-JAVA: from 1.49 before 1.84.
Title LDAP Injection Vulnerability in LDAPStoreHelper.java
Weaknesses CWE-90
References
Metrics cvssV4_0

{'score': 10, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

Bouncycastle Bc-java
cve-icon MITRE

Status: PUBLISHED

Assigner: bcorg

Published:

Updated: 2026-04-15T13:12:22.433Z

Reserved: 2026-01-06T03:18:21.572Z

Link: CVE-2026-0636

cve-icon Vulnrichment

Updated: 2026-04-15T13:12:16.829Z

cve-icon NVD

Status : Received

Published: 2026-04-15T10:16:38.413

Modified: 2026-04-15T10:16:38.413

Link: CVE-2026-0636

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T14:53:11Z

Weaknesses