{"id":"CVE-2026-40459","summary":"LDAP Injection in PAC4J","details":"PAC4J is vulnerable to LDAP Injection in multiple methods. A low-privileged remote attacker can inject crafted LDAP syntax into ID-based search parameters, potentially resulting in unauthorized LDAP queries and arbitrary directory operations.\n\nThis issue was fixed in PAC4J versions 4.5.10, 5.7.10 and 6.4.1","modified":"2026-07-15T01:49:13.979654690Z","published":"2026-04-17T13:18:39.181Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/40xxx/CVE-2026-40459.json","unresolved_ranges":[{"source":"AFFECTED_FIELD","extracted_events":[{"introduced":"4.0"},{"fixed":"4.5.10"},{"introduced":"5.0"},{"fixed":"5.7.10"},{"introduced":"6.0"},{"fixed":"6.4.1"}]}],"cna_assigner":"CERT-PL","cwe_ids":["CWE-90"]},"references":[{"type":"ADVISORY","url":"https://cert.pl/en/posts/2026/04/CVE-2026-40458/"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/40xxx/CVE-2026-40459.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40459"},{"type":"ADVISORY","url":"https://www.pac4j.org/blog/security-advisory-pac4j-core-and-ldap.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/pac4j/pac4j","events":[{"introduced":"332a4f2d38015495108b225a3f7353a165969f90"},{"fixed":"773ecd47b45a9e23c0ec72a3a7acc2588324edb2"},{"introduced":"c4aa7948f21985f9acc6778414afc9719c79befb"},{"fixed":"735e3e573dfa90e0361cc0ca66274cacd0d6788f"},{"introduced":"355a7201cb9a1e5ded694683464332418802cac8"},{"fixed":"b28a5e1705ed4830e2d7caf2361ee8123d74dcf1"}],"database_specific":{"cpe":"cpe:2.3:a:pac4j:pac4j:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"4.0.0"},{"fixed":"4.5.10"},{"introduced":"5.0.0"},{"fixed":"5.7.10"},{"introduced":"6.0.0"},{"fixed":"6.4.1"}],"source":"CPE_RANGE"}}],"versions":["pac4j-parent-6.4.0","pac4j-parent-6.4.0-RC1","pac4j-parent-5.7.9","pac4j-4.5.9","pac4j-parent-6.3.2","pac4j-parent-6.3.1","pac4j-parent-6.3.0","pac4j-parent-6.2.2","pac4j-parent-5.7.8","pac4j-parent-6.2.1","pac4j-parent-6.2.0","pac4j-parent-6.1.3","pac4j-parent-6.1.2","pac4j-parent-6.1.1","pac4j-parent-6.1.0","pac4j-parent-6.0.6","pac4j-parent-5.7.7","pac4j-4.5.8","pac4j-parent-6.0.5","pac4j-parent-5.7.6","6.0.4.1","pac4j-parent-6.0.4","pac4j-parent-6.0.3","pac4j-parent-5.7.5","pac4j-parent-5.7.4","pac4j-parent-6.0.2","pac4j-parent-5.7.3","pac4j-parent-6.0.1","pac4j-parent-6.0.0","pac4j-parent-5.7.2","pac4j-parent-5.7.1","pac4j-parent-5.7.0","pac4j-parent-5.6.1","pac4j-4.5.7","pac4j-parent-5.6.0","pac4j-parent-5.5.0","pac4j-parent-5.4.6","pac4j-parent-5.4.5","pac4j-parent-5.4.4","pac4j-parent-5.4.3","pac4j-parent-5.4.2","pac4j-4.5.6","pac4j-parent-5.4.0","pac4j-4.5.5","pac4j-parent-5.3.1","pac4j-parent-5.3.0","pac4j-parent-5.2.1","pac4j-4.5.4","pac4j-parent-5.2.0","pac4j-4.5.3","pac4j-5.1.5","pac4j-5.1.4","pac4j-4.5.2","pac4j-5.1.3","pac4j-5.1.2","pac4j-5.1.1","pac4j-4.5.1","pac4j-5.1.0","pac4j-4.5.0","pac4j-5.0.1","pac4j-5.0.0","pac4j-4.4.0","pac4j-4.3.1","pac4j-4.2.0","pac4j-4.1.0","pac4j-4.0.3","pac4j-4.0.2","pac4j-4.0.1","pac4j-4.0.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-40459.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}]}