PAC4J CSRF and LDAP Injection Vulnerabilities (CVE-2026-40458/40459) Advisory

PAC4J Software Vulnerability Summary Vulnerability Overview CERT Polska disclosed two security vulnerabilities in the PAC4J software: 1. Cross-Site Request Forgery (CSRF) - CVE ID: CVE-2026-40458 - Type: CWE-352 (Cross-Site Request Forgery) - Description: An attacker can craft malicious requests and exploit the deterministic nature of the function in PAC4J to generate valid CSRF Tokens through hash collisions. This reduces the token's security strength to 32 bits, rendering CSRF protection ineffective and allowing the attacker to perform sensitive actions (e.g., modifying profiles, changing passwords) without the victim's knowledge. 2. LDAP Injection - CVE ID: CVE-2026-40459 - Type: CWE-90 (Improper Neutralization of Special Elements used in an LDAP Query) - Description: A low-privileged remote attacker can inject malicious LDAP query syntax to bypass restrictions on ID-based search parameters, thereby executing unauthorized LDAP queries and manipulating directory data. Impact Scope CSRF Vulnerability: Affects PAC4J versions 5.7.10 and 6.4.1. LDAP Injection Vulnerability: Affects PAC4J versions 4.5.10, 5.7.10, and 6.4.1. Remediation CSRF Vulnerability: Fixed in PAC4J versions 5.7.10 and 6.4.1. LDAP Injection Vulnerability: Fixed in PAC4J versions 4.5.10, 5.7.10, and 6.4.1. Additional Information Report Source: Reported by Bartłomiej Dmitruk (striga.a) to CERT Polska. Disclosure Date: April 17, 2026.

Goal Reached Thanks to every supporter — we hit 100%!

PAC4J CSRF and LDAP Injection Vulnerabilities (CVE-2026-40458/40459) Advisory