CVE-2026-40458— Cross-Site Request Forgery in PAC4J
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-40458
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Cross-Site Request Forgery in PAC4J
Source: NVD (National Vulnerability Database)
Vulnerability Description
PAC4J is vulnerable to Cross-Site Request Forgery (CSRF). A malicious attacker can craft a specially designed website which, when visited by a user, will automatically submit a forged cross-site request with a token whose hash collides with the victim's legitimate CSRF token. Importantly, the attacker does not need to know the victim’s CSRF token or its hash prior to the attack. Collisions in the deterministic String.hashCode() function can be computed directly, reducing the effective token's security space to 32 bits. This bypasses CSRF protection, allowing profile updates, password changes, account linking, and any other state-changing operations to be performed without the victim's consent. This issue was fixed in PAC4J versions 5.7.10 and 6.4.1
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
跨站请求伪造(CSRF)
Source: NVD (National Vulnerability Database)
Vulnerability Title
pac4j 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
pac4j是pac4j开源的一个简单而强大的 Java 安全引擎。用于验证用户、获取他们的配置文件和管理授权,以保护 Web 应用程序和 Web 服务。 pac4j 5.7.10之前版本和6.4.1之前版本存在安全漏洞,该漏洞源于确定性String.hashCode()函数中的冲突可被直接计算,从而绕过CSRF保护,可能导致恶意攻击者执行配置文件更新、密码更改、账户链接及其他状态更改操作。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-40458
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-40458
请登录查看更多情报信息。
- Vulnerabilities in PAC4J software | CERT Polskathird-party-advisory
- https://nvd.nist.gov/vuln/detail/CVE-2026-40458
IV. Related Vulnerabilities
Same weakness: CWE-352
- CVE-2021-47953
OpenCart 3.0.3.7 Cross-Site Request Forgery via account/pass - CVE-2021-47946
OpenCart 3.0.36 Account Takeover via Cross Site Request Forg - CVE-2022-50955
WordPress Plugin Curtain 1.0.2 Cross-site Request Forgery - CVE-2026-8194
osTicket Dispatcher class.dispatcher.php cross-site request - CVE-2026-42286
Emlog: Cross-Site Request Forgery in Admin Functions
V. Comments for CVE-2026-40458
No comments yet