CVE-2026-40459

| EUVD-2026-23423 HIGH
2026-04-17 CERT-PL
Authentication Bypass Ldap Code Injection Pac4J
8.7
CVSS 4.0
Share

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Apr 17, 2026 - 16:08 vuln.today
patch_available
Apr 17, 2026 - 14:01 EUVD

DescriptionNVD

PAC4J is vulnerable to LDAP Injection in multiple methods. A low-privileged remote attacker can inject crafted LDAP syntax into ID-based search parameters, potentially resulting in unauthorized LDAP queries and arbitrary directory operations.

This issue was fixed in PAC4J versions 4.5.10, 5.7.10 and 6.4.1

AnalysisAI

LDAP injection in PAC4J authentication library allows authenticated remote attackers to manipulate directory queries and execute unauthorized LDAP operations across versions 4.0-6.4.0. Low attack complexity and network accessibility elevate risk despite low-privilege requirement. …

Sign in for full analysis, threat intelligence, and remediation guidance.

RemediationAI

Within 24 hours: Inventory all applications and services using PAC4J library and identify running versions. Within 7 days: Upgrade to PAC4J version 4.5.10, 5.7.10, or 6.4.1 depending on your current branch and test in non-production environment. …

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

CVE-2026-40459 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy