CVE-2026-40458

UNKNOWN 0.0

Cross-Site Request Forgery in PAC4J

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

PAC4J is vulnerable to Cross-Site Request Forgery (CSRF). A malicious attacker can craft a specially designed website which, when visited by a user, will automatically submit a forged cross-site request with a token whose hash collides with the victim's legitimate CSRF token. Importantly, the attacker does not need to know the victim’s CSRF token or its hash prior to the attack. Collisions in the deterministic String.hashCode() function can be computed directly, reducing the effective token's security space to 32 bits. This bypasses CSRF protection, allowing profile updates, password changes, account linking, and any other state-changing operations to be performed without the victim's consent. This issue was fixed in PAC4J versions 5.7.10 and 6.4.1

CWE	CWE-352
Vendor	pac4j
Product	pac4j
Published	Apr 17, 2026
Last Updated	Apr 17, 2026

Stay Ahead of the Next One

Get instant alerts for pac4j pac4j

Be the first to know when new unknown vulnerabilities affecting pac4j pac4j are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

PAC4J / PAC4J

5.0 < 5.7.10 6.0 < 6.4.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

cert.pl: https://cert.pl/en/posts/2026/04/CVE-2026-40458/ pac4j.org: https://www.pac4j.org/blog/security-advisory-pac4j-core-and-ldap.html

Credits

Bartłomiej Dmitruk, striga.ai