Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
8DescriptionCVE.org
PAC4J is vulnerable to LDAP Injection in multiple methods. A low-privileged remote attacker can inject crafted LDAP syntax into ID-based search parameters, potentially resulting in unauthorized LDAP queries and arbitrary directory operations.
This issue was fixed in PAC4J versions 4.5.10, 5.7.10 and 6.4.1
AnalysisAI
LDAP injection vulnerabilities in PAC4J authentication library allow low-privileged remote attackers to execute arbitrary LDAP queries and directory operations by injecting malicious syntax into ID-based search parameters. Affects PAC4J 4.x before 4.5.10, 5.x before 5.7.10, and 6.x before 6.4.1. CVSS 8.7 (High) with network vector, low complexity, and low privilege requirement. No active exploitation confirmed per CISA KEV; EPSS score 0.22% suggests low near-term exploitation probability. Vendor patches available per pac4j.org advisory. CERT-PL reported vulnerability.
Technical ContextAI
PAC4J is a Java security framework providing authentication and authorization across multiple protocols (OAuth, SAML, CAS, LDAP, etc.). This vulnerability (CWE-90: LDAP Injection) affects the LDAP authentication module where user-supplied input in ID-based search parameters is insufficiently sanitized before constructing LDAP queries. LDAP injection allows attackers to manipulate query logic by inserting metacharacters like parentheses, asterisks, and boolean operators (e.g., transforming '(uid=USERNAME)' into '(uid=*)(|(uid=*))' to bypass filters or enumerate entries). The affected CPE (cpe:2.3:a:pac4j:pac4j) covers all PAC4J core distributions. Multiple methods are vulnerable, suggesting widespread improper input validation across LDAP query construction points in the codebase.
RemediationAI
Upgrade PAC4J to patched versions: 4.5.10 (for 4.x branch), 5.7.10 (for 5.x branch), or 6.4.1 (for 6.x branch) per vendor advisory at https://www.pac4j.org/blog/security-advisory-pac4j-core-and-ldap.html. Patches implement proper input validation and LDAP query parameterization to prevent injection attacks. If immediate patching is infeasible, implement compensating controls: (1) Disable LDAP authentication module in PAC4J configuration and use alternative authentication mechanisms (OAuth, SAML, database) until upgrade completes - eliminates attack surface but requires application reconfiguration and user migration; (2) Deploy strict input validation at application layer before passing parameters to PAC4J LDAP methods, specifically sanitizing LDAP special characters: parentheses, asterisks, backslashes, null bytes, pipe symbols - requires code changes and thorough testing to avoid breaking legitimate usernames; (3) Restrict network access to LDAP directories using firewall rules limiting queries to authorized application servers only - reduces blast radius but does not prevent exploitation by authenticated users. Note: Workarounds provide partial risk reduction; vendor patch is the complete fix.
The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a
In Joomla!. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required,
An issue was discovered on Accellion FTA devices before FTA_9_12_180. Rated critical severity (CVSS 9.8), this vulnerabi
Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for aut
Dolibarr 11.0.3 contains a persistent cross-site scripting vulnerability in LDAP synchronization settings that allows at
A reflected cross-site scripting (xss) vulnerability exists in the ldapUser functionality of MedDream PACS Premium 7.3.6
Authentication bypass in Apache Druid versions 0.17.0 through 35.x. Affects all versions prior to 36.0.0 when specific p
Arbitrary certificate disclosure in Apache CXF's XKMS server lets remote attackers abuse an LDAP injection flaw (CWE-90)
An issue was discovered in linqi before 1.4.0.1 on Windows. Rated critical severity (CVSS 9.8), this vulnerability is re
A vulnerability, which was classified as problematic, has been found in Jahastech NxFilter 4.3.2.5.jsp?actionFlag=test&i
An unauthenticated Apache Traffic Control Traffic Ops user can send a request with a specially-crafted username to the P
Kanboard versions 1.2.48 and earlier contain an LDAP injection vulnerability where unsanitized user input in the LDAP au
Same weakness CWE-90 – LDAP Injection
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-23423