Description
PAC4J is vulnerable to LDAP Injection in multiple methods. A low-privileged remote attacker can inject crafted LDAP syntax into ID-based search parameters, potentially resulting in unauthorized LDAP queries and arbitrary directory operations.

This issue was fixed in PAC4J versions 4.5.10, 5.7.10 and 6.4.1
Published: 2026-04-17
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: LDAP Injection allowing arbitrary LDAP queries and directory operations
Action: Immediate Patch
AI Analysis

Impact

PAC4J allows low‑privileged remote attackers to inject crafted LDAP syntax into ID‑based search parameters. This deficiency permits unauthorized LDAP queries and arbitrary directory operations, potentially exposing sensitive directory data and enabling further exploitation. The weakness is a classic LDAP Injection that compromises application integrity and confidentiality.

Affected Systems

The vulnerability is present in PAC4J, the open‑source security framework. All releases prior to 4.5.10, 5.7.10, and 6.4.1 were affected; installations of these older versions remain at risk.

Risk and Exploitability

The CVSS score of 8.7 indicates a high severity. The EPSS value is not available, and the vulnerability is not listed in CISA KEV. An attacker who can manipulate LDAP search parameters can exploit this flaw remotely, often without requiring elevated privileges. The attack vector is most effective when PAC4J services are exposed over a network, and the impact spans the entire system that relies on PAC4J for authentication or authorization.

Generated by OpenCVE AI on April 18, 2026 at 09:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade PAC4J to a patched version: 4.5.10, 5.7.10, or 6.4.1, depending on the environment
  • If an upgrade cannot be performed immediately, sanitize all ID‑based search parameters to eliminate LDAP special characters before they reach PAC4j
  • Continuously monitor LDAP queries for unusual activity and keep audit logs to detect potential injection attempts

Generated by OpenCVE AI on April 18, 2026 at 09:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Apr 2026 14:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:pac4j:pac4j:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Fri, 17 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Pac4j
Pac4j pac4j
Vendors & Products Pac4j
Pac4j pac4j

Fri, 17 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 17 Apr 2026 13:45:00 +0000

Type Values Removed Values Added
Description PAC4J is vulnerable to LDAP Injection in multiple methods. A low-privileged remote attacker can inject crafted LDAP syntax into ID-based search parameters, potentially resulting in unauthorized LDAP queries and arbitrary directory operations. This issue was fixed in PAC4J versions 4.5.10, 5.7.10 and 6.4.1
Title LDAP Injection in PAC4J
Weaknesses CWE-90
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Pac4j Pac4j
cve-icon MITRE

Status: PUBLISHED

Assigner: CERT-PL

Published:

Updated: 2026-04-17T13:54:22.069Z

Reserved: 2026-04-13T10:06:07.141Z

Link: CVE-2026-40459

cve-icon Vulnrichment

Updated: 2026-04-17T13:53:06.405Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-17T14:16:34.123

Modified: 2026-04-20T14:38:27.967

Link: CVE-2026-40459

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T09:30:25Z

Weaknesses