LDAP Injection in Pac4j

CVE-2026-40459

PAC4J is vulnerable to LDAP Injection in multiple methods. A low-privileged remote attacker can inject crafted LDAP syntax into ID-based search parameters, potentially resulting in unauthorized LDAP queries and arbitrary directory operatio…

EPSS: 0.001 (18.1th percentile) — read the EPSS interpretation.

Affected products

Pac4j — versions 4.0, 5.0, 6.0

Weakness classification (CWE)

CWE-90 — LDAP Injection

References

cert.pl/en/posts/2026/04/CVE-2026-40458/ (third-party-advisory)
www.pac4j.org/blog/security-advisory-pac4j-core-and-ldap.html (vendor-advisory)