Cross-Site Request Forgery in PAC4J Affects Security Features
CVE-2026-40458

7HIGH

Key Information:

Vendor: Pac4j
Status: Pac4j
Vendor: CVE Published:; 17 April 2026

What is CVE-2026-40458?

PAC4J is susceptible to Cross-Site Request Forgery (CSRF), allowing attackers to exploit vulnerabilities through crafted requests. By leveraging a collision in the deterministic String.hashCode() function, an attacker can forge CSRF tokens and bypass protective measures. This breach enables unauthorized actions such as profile changes, password modifications, and account linking without the victim's consent. To mitigate these risks, users must upgrade to PAC4J versions 5.7.10 or 6.4.1, where the issue has been resolved.

Affected Version(s)

PAC4J 5.0 < 5.7.10

PAC4J 6.0 < 6.4.1

References

https://cert.pl/en/posts/2026/04/CVE-2026-40458/

third-party-advisory

https://www.pac4j.org/blog/security-advisory-pac4j-core-a...

vendor-advisory

CVSS V4

Score:

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 17, 2026
Vulnerability Reserved
Apr 13, 2026

Credit

Bartłomiej Dmitruk, striga.ai

CVE-2026-40458 Data

JSON