LDAP Injection Vulnerability in PAC4J by Pac4j
CVE-2026-40459

8.7HIGH

Key Information:

Vendor: Pac4j
Status: Pac4j
Vendor: CVE Published:; 17 April 2026

What is CVE-2026-40459?

PAC4J contains a vulnerability that allows remote attackers with low privileges to exploit LDAP injection in various methods. By injecting specially crafted LDAP syntax into ID-based search parameters, attackers can execute unauthorized LDAP queries and perform arbitrary operations on the directory. Users are encouraged to upgrade to PAC4J versions 4.5.10, 5.7.10, or 6.4.1 to mitigate this issue.

Affected Version(s)

PAC4J 4.0 < 4.5.10

PAC4J 5.0 < 5.7.10

PAC4J 6.0 < 6.4.1

References

https://cert.pl/en/posts/2026/04/CVE-2026-40458/

third-party-advisory

https://www.pac4j.org/blog/security-advisory-pac4j-core-a...

vendor-advisory

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 17, 2026
Vulnerability Reserved
Apr 13, 2026

Credit

Bartłomiej Dmitruk, striga.ai

CVE-2026-40459 Data

JSON