Skip to main content

LDAP EUVDEUVD-2026-23423

| CVE-2026-40459 HIGH
LDAP Injection (CWE-90)
2026-04-17 CERT-PL
8.7
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

8
Analysis Updated
Apr 20, 2026 - 14:57 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 20, 2026 - 14:52 vuln.today
cvss_changed
Patch released
Apr 20, 2026 - 14:38 nvd
Patch available
Analysis Generated
Apr 17, 2026 - 16:08 vuln.today
Patch available
Apr 17, 2026 - 14:01 EUVD
EUVD ID Assigned
Apr 17, 2026 - 13:45 euvd
EUVD-2026-23423
Analysis Generated
Apr 17, 2026 - 13:45 vuln.today
CVE Published
Apr 17, 2026 - 13:18 nvd
HIGH 8.7

DescriptionCVE.org

PAC4J is vulnerable to LDAP Injection in multiple methods. A low-privileged remote attacker can inject crafted LDAP syntax into ID-based search parameters, potentially resulting in unauthorized LDAP queries and arbitrary directory operations.

This issue was fixed in PAC4J versions 4.5.10, 5.7.10 and 6.4.1

AnalysisAI

LDAP injection vulnerabilities in PAC4J authentication library allow low-privileged remote attackers to execute arbitrary LDAP queries and directory operations by injecting malicious syntax into ID-based search parameters. Affects PAC4J 4.x before 4.5.10, 5.x before 5.7.10, and 6.x before 6.4.1. CVSS 8.7 (High) with network vector, low complexity, and low privilege requirement. No active exploitation confirmed per CISA KEV; EPSS score 0.22% suggests low near-term exploitation probability. Vendor patches available per pac4j.org advisory. CERT-PL reported vulnerability.

Technical ContextAI

PAC4J is a Java security framework providing authentication and authorization across multiple protocols (OAuth, SAML, CAS, LDAP, etc.). This vulnerability (CWE-90: LDAP Injection) affects the LDAP authentication module where user-supplied input in ID-based search parameters is insufficiently sanitized before constructing LDAP queries. LDAP injection allows attackers to manipulate query logic by inserting metacharacters like parentheses, asterisks, and boolean operators (e.g., transforming '(uid=USERNAME)' into '(uid=*)(|(uid=*))' to bypass filters or enumerate entries). The affected CPE (cpe:2.3:a:pac4j:pac4j) covers all PAC4J core distributions. Multiple methods are vulnerable, suggesting widespread improper input validation across LDAP query construction points in the codebase.

RemediationAI

Upgrade PAC4J to patched versions: 4.5.10 (for 4.x branch), 5.7.10 (for 5.x branch), or 6.4.1 (for 6.x branch) per vendor advisory at https://www.pac4j.org/blog/security-advisory-pac4j-core-and-ldap.html. Patches implement proper input validation and LDAP query parameterization to prevent injection attacks. If immediate patching is infeasible, implement compensating controls: (1) Disable LDAP authentication module in PAC4J configuration and use alternative authentication mechanisms (OAuth, SAML, database) until upgrade completes - eliminates attack surface but requires application reconfiguration and user migration; (2) Deploy strict input validation at application layer before passing parameters to PAC4J LDAP methods, specifically sanitizing LDAP special characters: parentheses, asterisks, backslashes, null bytes, pipe symbols - requires code changes and thorough testing to avoid breaking legitimate usernames; (3) Restrict network access to LDAP directories using firewall rules limiting queries to authorized application servers only - reduces blast radius but does not prevent exploitation by authenticated users. Note: Workarounds provide partial risk reduction; vendor patch is the complete fix.

More in LDAP

View all
CVE-2016-9299 CRITICAL POC
9.8 Jan 12

The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a

CVE-2017-14596 CRITICAL POC
9.8 Sep 20

In Joomla!. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required,

CVE-2017-8790 CRITICAL POC
9.8 May 05

An issue was discovered on Accellion FTA devices before FTA_9_12_180. Rated critical severity (CVSS 9.8), this vulnerabi

CVE-2023-28853 MEDIUM POC
6.5 Apr 04

Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for aut

CVE-2020-36966 MEDIUM POC
6.4 Jan 30

Dolibarr 11.0.3 contains a persistent cross-site scripting vulnerability in LDAP synchronization settings that allows at

CVE-2025-36556 MEDIUM POC
6.1 Jan 20

A reflected cross-site scripting (xss) vulnerability exists in the ldapUser functionality of MedDream PACS Premium 7.3.6

CVE-2026-23906 CRITICAL
9.8 Feb 10

Authentication bypass in Apache Druid versions 0.17.0 through 35.x. Affects all versions prior to 36.0.0 when specific p

CVE-2026-44930 CRITICAL
9.8 May 22

Arbitrary certificate disclosure in Apache CXF's XKMS server lets remote attackers abuse an LDAP injection flaw (CWE-90)

CVE-2024-33868 CRITICAL
9.8 May 14

An issue was discovered in linqi before 1.4.0.1 on Windows. Rated critical severity (CVSS 9.8), this vulnerability is re

CVE-2023-6905 CRITICAL
9.8 Dec 18

A vulnerability, which was classified as problematic, has been found in Jahastech NxFilter 4.3.2.5.jsp?actionFlag=test&i

CVE-2021-43350 CRITICAL
9.8 Nov 11

An unauthenticated Apache Traffic Control Traffic Ops user can send a request with a specially-crafted username to the P

CVE-2026-21880 MEDIUM POC
5.3 Jan 08

Kanboard versions 1.2.48 and earlier contain an LDAP injection vulnerability where unsanitized user input in the LDAP au

Share

EUVD-2026-23423 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy