CVE-2026-40458: CSRF in PAC4J Core
Platform
java
Component
pac4j-core
Fixed in
5.7.10
6.4.1
5.7.10
PAC4J Core versions 5.0.0 through 6.4.1 are vulnerable to a Cross-Site Request Forgery (CSRF) attack. This vulnerability allows malicious actors to craft requests that, when visited by an authenticated user, can perform actions on their behalf without their knowledge. The root cause lies in predictable hash collisions within the String.hashCode() function, effectively reducing the token’s security space. The vulnerability was published on 2026-04-17 and a fix is available in version 6.4.1.
Detect this CVE in your project
Upload your pom.xml file and we'll tell you instantly if you're affected.
Impact and Attack Scenarios
An attacker exploiting this CSRF vulnerability in PAC4J Core could potentially gain unauthorized access to user accounts and perform actions such as modifying user profiles, changing passwords, or executing other actions permitted by the application. The attack doesn't require prior knowledge of the victim's CSRF token or its hash, significantly simplifying the attack process. The reliance on String.hashCode() for CSRF protection creates a predictable collision point, making it easier for attackers to craft malicious requests. This bypasses standard CSRF defenses and could lead to significant data breaches and account compromise.
Exploitation Context
This vulnerability is considered a medium risk due to the potential for account takeover and data modification. Public proof-of-concept exploits are not currently available, but the underlying mechanism is well-understood, increasing the likelihood of exploitation. The vulnerability was disclosed on 2026-04-17. It is not currently listed on the CISA KEV catalog.
Threat Intelligence
Exploit Status
EPSS
0.02% (4% percentile)
CISA SSVC
Affected Software
Weakness Classification (CWE)
Timeline
- Reserved
- Published
- EPSS updated
Mitigation and Workarounds
The primary mitigation for CVE-2026-40458 is to upgrade PAC4J Core to version 6.4.1 or later, which addresses the hash collision vulnerability. If upgrading is not immediately feasible, consider implementing additional CSRF protection measures, such as double-submit cookies or implementing more robust token generation algorithms. Web Application Firewalls (WAFs) configured to detect and block suspicious cross-site requests can provide an additional layer of defense. Review and strengthen input validation and output encoding practices to minimize the impact of successful CSRF attacks. After upgrading, confirm the fix by attempting to trigger a CSRF attack and verifying that the protection mechanisms are functioning correctly.
How to fix
Update the PAC4J Core library to version 5.7.10 or higher, or to version 6.4.1 or higher. This update corrects a CSRF vulnerability that allows attackers to perform actions on behalf of users without their consent.
CVE Security Newsletter
Vulnerability analysis and critical alerts directly to your inbox.
Frequently asked questions
What is CVE-2026-40458 — CSRF in PAC4J Core?
CVE-2026-40458 is a Cross-Site Request Forgery (CSRF) vulnerability affecting PAC4J Core versions 5.0.0–6.4.1, allowing attackers to bypass CSRF protection through hash collisions.
Am I affected by CVE-2026-40458 in PAC4J Core?
You are affected if you are using PAC4J Core versions 5.0.0 through 6.4.1. Verify your version and upgrade if necessary.
How do I fix CVE-2026-40458 in PAC4J Core?
Upgrade PAC4J Core to version 6.4.1 or later to resolve the vulnerability. Consider additional CSRF mitigation techniques if immediate upgrade is not possible.
Is CVE-2026-40458 being actively exploited?
While no public exploits are currently known, the vulnerability's nature makes it likely to be targeted, so proactive mitigation is recommended.
Where can I find the official PAC4J advisory for CVE-2026-40458?
Refer to the official PAC4J project website and security advisories for the latest information and updates regarding CVE-2026-40458.
Is your project affected?
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.