CVE-2026-40459

High

Published: 17 April 2026

Published

17 April 2026

Modified

20 April 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0014 33.6th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

PAC4J is vulnerable to LDAP Injection in multiple methods. A low-privileged remote attacker can inject crafted LDAP syntax into ID-based search parameters, potentially resulting in unauthorized LDAP queries and arbitrary directory operations. This issue was fixed in PAC4J versions 4.5.10,…

5.7.10 and 6.4.1

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly requires validation of ID-based search parameters to prevent injection of crafted LDAP syntax into PAC4J methods.

SI-2 Flaw Remediation good match

prevent

Ensures timely patching of vulnerable PAC4J versions (4.5.10, 5.7.10, 6.4.1) to remediate the LDAP injection flaw.

SI-9 Information Input Restrictions good match

prevent

Enforces restrictions on inputs to LDAP search parameters, rejecting malformed or suspicious content that could enable unauthorized directory operations.

Security SummaryAI

CVE-2026-40459 is an LDAP injection vulnerability affecting the PAC4J security library, specifically in multiple methods that handle ID-based search parameters. Published on 2026-04-17, it allows injection of crafted LDAP syntax due to insufficient input validation, as classified under CWE-90. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity with potential for significant confidentiality, integrity, and availability impacts.

A low-privileged remote attacker can exploit this vulnerability over the network with low complexity and no user interaction required. By injecting malicious LDAP syntax into affected search parameters, the attacker can execute unauthorized LDAP queries against the directory service, potentially leading to arbitrary directory operations such as data exfiltration, modification, or deletion.

PAC4J has addressed the issue in versions 4.5.10, 5.7.10, and 6.4.1. Security advisories, including the official PAC4J blog post and a CERT.PL entry, detail the vulnerability and recommend upgrading to these patched releases for mitigation.

Details

CWE(s): CWE-90

Affected Products

pac4j

4.0.0 — 4.5.10 · 5.0.0 — 5.7.10 · 6.0.0 — 6.4.1

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1210 Exploitation of Remote Services Lateral Movement

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.

attack.mitre.org →

T1087.002 Domain Account Discovery

Adversaries may attempt to get a listing of domain accounts.

attack.mitre.org →

T1069.002 Domain Groups Discovery

Adversaries may attempt to find domain-level groups and permission settings.

attack.mitre.org →

Why these techniques?

LDAP injection in PAC4J enables exploitation of public-facing applications and remote services via crafted inputs, facilitating unauthorized directory queries for domain account and group discovery.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://cert.pl/en/posts/2026/04/CVE-2026-40458/
Third Party Advisory · cvd@cert.pl
https://www.pac4j.org/blog/security-advisory-pac4j-core-and-ldap.html
Vendor Advisory · cvd@cert.pl