Skip to main content

Pac4J EUVDEUVD-2026-23421

| CVE-2026-40458 HIGH
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-04-17 CERT-PL GHSA-xw5c-jc7x-gf75
7.0
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.0 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

8
Analysis Updated
Apr 20, 2026 - 14:58 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 20, 2026 - 14:52 vuln.today
cvss_changed
Patch released
Apr 20, 2026 - 14:41 nvd
Patch available
Analysis Generated
Apr 17, 2026 - 16:08 vuln.today
Patch available
Apr 17, 2026 - 14:01 EUVD
EUVD ID Assigned
Apr 17, 2026 - 13:45 euvd
EUVD-2026-23421
Analysis Generated
Apr 17, 2026 - 13:45 vuln.today
CVE Published
Apr 17, 2026 - 13:18 nvd
HIGH 7.0

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 16 maven packages depend on org.pac4j:pac4j-core (16 direct, 0 indirect)

Ecosystem-wide dependent count for version 6.0.0-RC1.

DescriptionCVE.org

PAC4J is vulnerable to Cross-Site Request Forgery (CSRF). A malicious attacker can craft a specially designed website which, when visited by a user, will automatically submit a forged cross-site request with a token whose hash collides with the victim's legitimate CSRF token. Importantly, the attacker does not need to know the victim’s CSRF token or its hash prior to the attack. Collisions in the deterministic String.hashCode() function can be computed directly, reducing the effective token's security space to 32 bits. This bypasses CSRF protection, allowing profile updates, password changes, account linking, and any other state-changing operations to be performed without the victim's consent.

This issue was fixed in PAC4J versions 5.7.10 and 6.4.1

AnalysisAI

CSRF protection bypass in PAC4J authentication library allows remote attackers to forge state-changing requests without victim consent by exploiting hash collisions in Java's String.hashCode() function. Affects PAC4J 5.x before 5.7.10 and 6.x before 6.4.1, requiring victim interaction (visiting malicious site). EPSS score of 0.02% (5th percentile) indicates very low observed exploitation probability. No active exploitation confirmed (not in CISA KEV). CERT-PL disclosed the vulnerability with vendor patches now available.

Technical ContextAI

PAC4J is a widely-used Java security framework providing authentication and authorization mechanisms for web applications. This vulnerability stems from PAC4J's reliance on Java's deterministic String.hashCode() function for CSRF token validation. The hashCode() method produces only 32-bit output, creating a feasible collision space (~4.3 billion possible values). An attacker can precompute strings that hash to the same value as a victim's legitimate CSRF token without ever observing the actual token. This reduces the effective security from the token's full entropy (typically 128+ bits) to just 32 bits, making brute-force hash collision attacks computationally trivial. The root cause is CWE-352 (Cross-Site Request Forgery), specifically a cryptographic weakness in the token validation mechanism. All applications using PAC4J versions 5.0 through 5.7.9 or 6.0 through 6.4.0 for CSRF protection are vulnerable, particularly those implementing state-changing operations like profile updates, password changes, or account linking.

RemediationAI

Upgrade to PAC4J version 5.7.10 (for 5.x deployments) or 6.4.1 (for 6.x deployments) immediately. These versions replace the weak hashCode() comparison with cryptographically secure token validation. Patched versions are available from the official PAC4J repository and Maven Central. Refer to vendor security advisory at https://www.pac4j.org/blog/security-advisory-pac4j-core-and-ldap.html for upgrade instructions. If immediate patching is not feasible, implement compensating controls: (1) Enable SameSite=Strict cookie attribute on session cookies to prevent cross-site transmission (may break legitimate cross-site workflows), (2) implement additional server-side origin/referer validation for state-changing operations (can be bypassed by sophisticated attackers), and (3) require re-authentication for sensitive operations like password changes or account linking (adds user friction but significantly raises attack difficulty). Note that compensating controls do not fully mitigate the vulnerability and should only be temporary measures until patching.

Share

EUVD-2026-23421 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy