How to fix EUVD-2026-23421?

Within 24 hours: Inventory all applications using PAC4J and identify those running versions 5.0-5.7.9 or 6.0-6.4.0. Within 7 days: Upgrade PAC4J to version 5.7.10 or 6.4.1 (or later) and test in staging environment. Within 30 days: Complete production deployment of patched versions across all affected systems and verify patch application through dependency scanning.

Is Pac4J affected by EUVD-2026-23421?

PAC4J authentication library versions 5.0-5.7.9 and 6.0-6.4.0 contain a CSRF token bypass vulnerability that enables attackers to perform unauthorized account modifications including password changes and account takeover.

EUVD-2026-23421

| CVE-2026-40458 HIGH

2026-04-17 CERT-PL

CSRF Pac4J

7.0

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Scope

Lifecycle Timeline

Analysis Generated

Apr 17, 2026 - 16:08 vuln.today

patch_available

Apr 17, 2026 - 14:01 EUVD

DescriptionNVD

PAC4J is vulnerable to Cross-Site Request Forgery (CSRF). A malicious attacker can craft a specially designed website which, when visited by a user, will automatically submit a forged cross-site request with a token whose hash collides with the victim's legitimate CSRF token. Importantly, the attacker does not need to know the victim’s CSRF token or its hash prior to the attack. Collisions in the deterministic String.hashCode() function can be computed directly, reducing the effective token's security space to 32 bits. This bypasses CSRF protection, allowing profile updates, password changes, account linking, and any other state-changing operations to be performed without the victim's consent.

This issue was fixed in PAC4J versions 5.7.10 and 6.4.1

AnalysisAI

CSRF token bypass in PAC4J authentication library (versions 5.0-5.7.9 and 6.0-6.4.0) allows remote attackers to perform unauthorized state-changing operations via hash collision exploitation. Attackers craft tokens that collide with victims' legitimate CSRF tokens by exploiting Java's deterministic String.hashCode() function, reducing effective security from cryptographic strength to 32 bits. …

RemediationAI

Within 24 hours: Inventory all applications using PAC4J and identify those running versions 5.0-5.7.9 or 6.0-6.4.0. Within 7 days: Upgrade PAC4J to version 5.7.10 or 6.4.1 (or later) and test in staging environment. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

EUVD-2026-23421 vulnerability details – vuln.today

Back

EUVD-2026-23421

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

EUVD-2026-23421

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code