Primary

Context

PAC4J Cross-Site Request Forgery Vulnerability

Vulnerability

Patched

A Cross-Site Request Forgery (CSRF) vulnerability exists in PAC4J versions 5.0 prior to 5.7.10 and 6.0 prior to 6.4.1. This vulnerability allows attackers to exploit the application's CSRF protection by crafting a malicious website that submits a forged request using a token that collides with the victim's legitimate CSRF token. The attacker does not need to know the victim's token or its hash beforehand. This exploitation can bypass CSRF safeguards, enabling unauthorized profile updates, password changes, account linking, and other state-altering actions.

Impact

Exploitation of this vulnerability allows for unauthorized actions to be performed on behalf of the user, such as changing passwords, updating profiles, linking accounts, and other state-changing operations, all without the user's consent.

Remediation

Users should upgrade to PAC4J version 5.7.10 or 6.4.1. Instructions for upgrading can be found in the PAC4J security advisory on the PAC4J website.

Added: Apr 17, 2026, 2:31 PM

Updated: Apr 17, 2026, 2:31 PM

Vulnerability Rating

Custom Algorithm

spread

1.2

impact

0.6

exploitability

4.2

remediation

7.7

relevance

6.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

1.2

impact

0.6

exploitability

4.2

remediation

7.7

relevance

6.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

PAC4J Cross-Site Request Forgery Vulnerability

Vulnerability

Impact

Remediation

Affected Products

PAC4J

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating