LDAP Injection Vulnerability in BC-JAVA from Legion of the Bouncy Castle Inc.
CVE-2026-0636

5.5MEDIUM

Key Information:

Vendor: Legion Of The Bouncy Castle Inc.
Status: Bc-java
Vendor: CVE Published:; 15 April 2026

🔔 Create Legion Of The Bouncy Castle Inc. Vulnerability Alert

What is CVE-2026-0636?

This vulnerability arises from improper handling of special characters in LDAP queries within the BC-JAVA library, specifically affecting the LDAPStoreHelper program files. Attackers can exploit this flaw by injecting malicious LDAP queries, potentially leading to unauthorized access or manipulation of LDAP data. The issue is present in all versions from 1.74 up to but not including 1.84, highlighting a critical need for users to upgrade to the latest patched versions to mitigate this risk.

Affected Version(s)

BC-JAVA all 1.74 < 1.84

References

https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902026%E2...

vendor-advisory

https://github.com/bcgit/bc-java/commit/d20cdb8430e092241...

patch

CVSS V4

Score:

5.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 15, 2026
Vulnerability Reserved
Jan 6, 2026

Credit

Prasanth Sundararajan (prasanth.srihari@gmail.com)

CVE-2026-0636 Data

JSON