PAC4J LDAP Injection in ID-based Search (v <4.5.10/5.7.10/6.4.1)
CVE-2026-40459 Published on April 17, 2026

LDAP Injection in PAC4J
PAC4J is vulnerable to LDAP Injection in multiple methods. A low-privileged remote attacker can inject crafted LDAP syntax into ID-based search parameters, potentially resulting in unauthorized LDAP queries and arbitrary directory operations. This issue was fixed in PAC4J versions 4.5.10, 5.7.10 and 6.4.1

Vendor Advisory NVD

Weakness Type

What is a LDAP Injection Vulnerability?

The software constructs all or part of an LDAP query using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended LDAP query when it is sent to a downstream component.

CVE-2026-40459 has been classified to as a LDAP Injection vulnerability or weakness.

Affected Versions

PAC4J:

Version 4.0 and below 4.5.10 is affected.
Version 5.0 and below 5.7.10 is affected.
Version 6.0 and below 6.4.1 is affected.

PAC4J LDAP Injection in ID-based Search (v <4.5.10/5.7.10/6.4.1)CVE-2026-40459 Published on April 17, 2026

Weakness Type

What is a LDAP Injection Vulnerability?

Affected Versions

PAC4J LDAP Injection in ID-based Search (v <4.5.10/5.7.10/6.4.1)
CVE-2026-40459 Published on April 17, 2026