Description
Improper neutralization of special elements used in an LDAP query ('LDAP injection') vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcprov on all (prov modules).

This vulnerability is associated with program files LDAPStoreHelper.



This issue affects BC-JAVA: from 1.74 before 1.80.2, from 1.81 before 1.81.1, from 1.82 before 1.84.
Published: 2026-04-15
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of special elements in LDAP queries, known as LDAP injection, is present in Legion of the Bouncy Castle Inc. BC-JAVA bcprov library across all prov modules. The flaw in LDAPStoreHelper.java allows an attacker to embed arbitrary LDAP filter syntax through unsanitized input, potentially enabling unauthorized reading or modification of directory entries and undermining authentication mechanisms. This weakness is identified as CWE‑90.

Affected Systems

Legion of the Bouncy Castle Inc. provides the BC-JAVA bcprov component in its prov modules. Versions from 1.74 up to, but not including, 1.80.2; from 1.81 up to, but not including, 1.81.1; and from 1.82 up to, but not including, 1.84 are affected. The issue applies to all bcprov modules that use LDAPStoreHelper.java.

Risk and Exploitability

The vulnerability carries a CVSS score of 5.5, indicating moderate impact. The EPSS score of < 1% indicates a very low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote, inferred from the fact that the flaw involves unsanitized input that can be supplied by an external source to the LDAP query construction within any application that incorporates the affected Bouncy Castle library. This makes it a moderate-risk, attack‑vector‑indirect risk.

Generated by OpenCVE AI on May 19, 2026 at 01:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to BC-JAVA version 1.84 or newer, which contains the patch for LDAP injection in LDAPStoreHelper.java.
  • If an upgrade is not immediately possible, ensure that all user‑controlled data passed to LDAPStoreHelper is properly escaped or sanitised using Bouncy Castle’s provided escaping utilities before inclusion in the LDAP filter.
  • Perform a code review of all LDAP query construction points in the application to confirm that no unsanitised user input can reach the LDAPStoreHelper class.

Generated by OpenCVE AI on May 19, 2026 at 01:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-c3fc-8qff-9hwx Bouncy Castle has an LDAP injection
History

Mon, 18 May 2026 23:30:00 +0000

Type Values Removed Values Added
Description Improper neutralization of special elements used in an LDAP query ('LDAP injection') vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcprov on all (prov modules). This vulnerability is associated with program files LDAPStoreHelper. This issue affects BC-JAVA: from 1.74 before 1.84. Improper neutralization of special elements used in an LDAP query ('LDAP injection') vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcprov on all (prov modules). This vulnerability is associated with program files LDAPStoreHelper. This issue affects BC-JAVA: from 1.74 before 1.80.2, from 1.81 before 1.81.1, from 1.82 before 1.84.

Wed, 29 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

threat_severity

Important

Wed, 15 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Bouncycastle
Bouncycastle bc-java
Vendors & Products Bouncycastle
Bouncycastle bc-java

Wed, 15 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 15 Apr 2026 10:00:00 +0000

Type Values Removed Values Added
Description Improper neutralization of special elements used in an LDAP query ('LDAP injection') vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcprov on all (prov modules). LDAP Injection Vulnerability in LDAPStoreHelper.java This issue affects BC-JAVA: from 1.49 before 1.84. Improper neutralization of special elements used in an LDAP query ('LDAP injection') vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcprov on all (prov modules). This vulnerability is associated with program files LDAPStoreHelper. This issue affects BC-JAVA: from 1.74 before 1.84.
References
Metrics cvssV4_0

{'score': 10, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

 cvssV4_0

{'score': 5.5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/S:N/AU:Y/R:A/RE:M/U:Amber'}

Wed, 15 Apr 2026 09:30:00 +0000

Type Values Removed Values Added
Description Improper neutralization of special elements used in an LDAP query ('LDAP injection') vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcprov on all (prov modules). LDAP Injection Vulnerability in LDAPStoreHelper.java This issue affects BC-JAVA: from 1.49 before 1.84.
Title LDAP Injection Vulnerability in LDAPStoreHelper.java
Weaknesses CWE-90
References
Metrics cvssV4_0

{'score': 10, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

Bouncycastle Bc-java
cve-icon MITRE

Status: PUBLISHED

Assigner: bcorg

Published:

Updated: 2026-05-18T23:20:07.728Z

Reserved: 2026-01-06T03:18:21.572Z

Link: CVE-2026-0636

cve-icon Vulnrichment

Updated: 2026-04-15T13:12:16.829Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-15T10:16:38.413

Modified: 2026-05-19T00:16:36.967

Link: CVE-2026-0636

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-15T08:59:12Z

Links: CVE-2026-0636 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-19T01:30:26Z

Weaknesses
  • CWE-90

    Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')