Primary

Context

PAC4J LDAP Injection Vulnerability Allowing Unauthorized Directory Operations

Vulnerability

Patched

A vulnerability allowing LDAP injection has been identified in PAC4J versions 4.0 prior to 4.5.10, 5.0 prior to 5.7.10, and 6.0 prior to 6.4.1. This vulnerability arises in multiple methods where a low-privileged remote attacker can inject crafted LDAP syntax into ID-based search parameters. Such injection could lead to unauthorized LDAP queries and arbitrary operations within the directory.

Impact

Exploitation of this vulnerability could result in unauthorized LDAP queries and arbitrary directory operations, potentially affecting the integrity and confidentiality of directory data.

Remediation

Users should upgrade to PAC4J version 4.5.10 or newer, 5.7.10 or newer, or 6.4.1 or newer, depending on their current version.

Added: Apr 17, 2026, 2:28 PM

Updated: Apr 17, 2026, 2:28 PM

Vulnerability Rating

Custom Algorithm

spread

1.2

impact

5.0

exploitability

3.3

remediation

7.7

relevance

6.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

1.2

impact

5.0

exploitability

3.3

remediation

7.7

relevance

6.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

PAC4J LDAP Injection Vulnerability Allowing Unauthorized Directory Operations

Vulnerability

Impact

Remediation

Affected Products

PAC4J

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating