Platform
java
Component
pac4j-core
Fixed in
4.5.10
5.7.10
6.4.1
PAC4J Core versions 4.0.0 through 6.4.1 are susceptible to an LDAP Injection vulnerability. This allows a remote, low-privileged attacker to inject malicious LDAP syntax into ID-based search parameters, potentially enabling unauthorized LDAP queries and arbitrary directory operations. The vulnerability has been addressed in PAC4J versions 4.5.10, 5.7.10, and 6.4.1, and users are advised to upgrade to a patched version.
CVE-2026-40459 affects PAC4J, a Java authentication library. The vulnerability lies in LDAP injection, allowing a low-privileged remote attacker to inject malicious LDAP syntax into ID-based search parameters. This can lead to unauthorized LDAP queries and arbitrary directory operations. The potential impact includes exposure of sensitive information, data manipulation, and, in some cases, system compromise. The severity of the vulnerability is being assessed, but is considered significant due to the possibility of unauthorized access to LDAP resources. It is crucial to update to a patched version to mitigate this risk. The vulnerability is exploited through the manipulation of input parameters that are directly used in LDAP queries without proper validation or sanitization.
The vulnerability is exploited by manipulating input parameters used in LDAP searches within PAC4J. An attacker can inject malicious LDAP code, such as LDAP filters, which will be executed on the LDAP server. This can allow the attacker to enumerate users, modify user attributes, or even gain access to confidential information stored in the LDAP directory. The success of exploitation depends on the LDAP server configuration and the permissions of the user performing the search. The lack of input validation is the primary cause of this vulnerability.
Exploit Status
EPSS
0.14% (34% percentile)
CISA SSVC
The recommended solution is to immediately update to a version of PAC4J that includes the fix, specifically versions 4.5.10, 5.7.10, or 6.4.1. If an update is not immediately feasible, consider implementing temporary mitigation measures, such as restricting access to LDAP services, enforcing strict access controls, and monitoring LDAP activity for suspicious patterns. Additionally, review the code to identify and correct any instances of insecure LDAP query usage. Validation and sanitization of all user inputs used in LDAP queries is essential to prevent future injections. Regular penetration testing is recommended to identify and address potential vulnerabilities.
Actualice la biblioteca PAC4J Core a la versión 4.5.10 o superior, 5.7.10 o superior, o 6.4.1 o superior para mitigar la vulnerabilidad de inyección LDAP. Asegúrese de revisar la documentación de PAC4J para obtener instrucciones de actualización específicas para su entorno. Verifique y sanee las entradas del usuario que se utilizan en las búsquedas LDAP para evitar la inyección de código malicioso.
Vulnerability analysis and critical alerts directly to your inbox.
LDAP (Lightweight Directory Access Protocol) is a protocol for accessing and modifying information stored in a directory. LDAP directories are commonly used for authentication and authorization on networks.
LDAP injection is a type of security vulnerability that allows an attacker to inject malicious LDAP code into an LDAP query, which can result in unauthorized access to information or data manipulation.
If you are using PAC4J, check the version you are using. If it is older than 4.5.10, 5.7.10, or 6.4.1, you are vulnerable.
Implement temporary mitigation measures, such as restricting access to LDAP and monitoring LDAP activity.
Consult the official PAC4J documentation and security advisories related to CVE-2026-40459.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.