Plattform
java
Komponente
pac4j-core
Behoben in
5.7.10
6.4.1
5.7.10
PAC4J Core versions 5.0.0 through 6.4.1 are vulnerable to a Cross-Site Request Forgery (CSRF) attack. This vulnerability allows malicious actors to craft websites that automatically submit forged requests, bypassing CSRF protection mechanisms. The root cause lies in predictable hash collisions within the String.hashCode() function, significantly reducing the token's security space. Upgrade to version 6.4.1 to resolve this issue.
The impact of this CSRF vulnerability is significant, as it allows an attacker to perform actions on behalf of an authenticated user without their knowledge or consent. Specifically, an attacker could leverage this flaw to modify user profiles, change passwords, or perform other sensitive actions that the user is authorized to do. The attacker doesn't need to know the victim's CSRF token beforehand; they can compute hash collisions directly, making exploitation relatively straightforward. This bypasses the intended security measures designed to prevent unauthorized actions via forged requests.
This vulnerability was publicly disclosed on 2026-04-17. No public proof-of-concept (PoC) code has been released at the time of writing, but the vulnerability's nature and the ease of hash collision computation suggest a high likelihood of PoC development. It is not currently listed on CISA KEV. The vulnerability's reliance on predictable hash collisions makes it a potentially serious risk, especially in environments where PAC4J Core is widely deployed.
Applications utilizing PAC4J Core for authentication and authorization, particularly those handling sensitive user data, are at risk. Shared hosting environments where multiple applications share the same PAC4J Core library are also particularly vulnerable, as a compromise in one application could potentially impact others.
• java / server:
# Check for PAC4J Core version
java -jar your_application.jar | grep "PAC4J Core"• generic web:
# Check for suspicious requests in access logs
grep -i "/your/sensitive/endpoint" access.logdisclosure
Exploit-Status
EPSS
0.02% (4% Perzentil)
CISA SSVC
The primary mitigation for CVE-2026-40458 is to upgrade PAC4J Core to version 6.4.1 or later, which addresses the hash collision vulnerability. If upgrading is not immediately feasible, consider implementing additional CSRF protection measures, such as synchronizer tokens or double-submit cookies, to bolster defenses. Web Application Firewalls (WAFs) configured to detect and block suspicious cross-site requests can also provide a layer of protection. Review and strengthen existing CSRF prevention mechanisms to ensure they are not reliant solely on the vulnerable String.hashCode() implementation.
Aktualisieren Sie die PAC4J Core Bibliothek auf Version 5.7.10 oder höher, oder auf Version 6.4.1 oder höher. Dieses Update behebt eine CSRF-Vulnerabilität, die es Angreifern ermöglicht, Aktionen im Namen von Benutzern ohne deren Zustimmung durchzuführen.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-40458 is a Cross-Site Request Forgery (CSRF) vulnerability affecting PAC4J Core versions 5.0.0–6.4.1, allowing attackers to bypass CSRF protection through hash collisions.
You are affected if you are using PAC4J Core versions 5.0.0 through 6.4.1. Verify your version and upgrade if necessary.
Upgrade PAC4J Core to version 6.4.1 or later to resolve the vulnerability. Consider additional CSRF mitigation techniques if immediate upgrade is not possible.
While no public exploits are currently known, the vulnerability's nature makes it likely to be targeted, so proactive mitigation is recommended.
Refer to the official PAC4J project website and security advisories for the latest information and updates regarding CVE-2026-40458.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine pom.xml-Datei hoch und wir sagen dir sofort, ob du betroffen bist.