QwikSec

Security Database

CVE

CWE

Training

CVE-2026-40459

Published: Apr 17, 2026

Modified: Apr 17, 2026

PUBLISHED

Description

PAC4J is vulnerable to LDAP Injection in multiple methods. A low-privileged remote attacker can inject crafted LDAP syntax into ID-based search parameters, potentially resulting in unauthorized LDAP queries and arbitrary directory operations. This issue was fixed in PAC4J versions 4.5.10, 5.7.10 and 6.4.1

Vendor	Product	Versions
PAC4J	PAC4J	affected `4.0 - < 4.5.10` affected `5.0 - < 5.7.10` affected `6.0 - < 6.4.1`

Weaknesses (CWE)

References

https://cert.pl/en/posts/2026/04/CVE-2026-40458/

third-party-advisory

https://www.pac4j.org/blog/security-advisory-pac4j-core-and-ldap.html

vendor-advisory

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.