CVE-2026-40458 — Vulnetix

CVE-2026-40458 PUBLISHED CVSS 7 HIGH

PAC4J is vulnerable to Cross-Site Request Forgery (CSRF). A malicious attacker can craft a specially designed website which, when visited by a user, will automatically submit a forged cross-site request with a token whose hash collides with the victim's legitimate CSRF token. Importantly, the attacker does not need to know the victim’s CSRF token or its hash prior to the attack. Collisions in the deterministic String.hashCode() function can be computed directly, reducing the effective token's security space to 32 bits. This bypasses CSRF protection, allowing profile updates, password changes, account linking, and any other state-changing operations to be performed without the victim's consent. This issue was fixed in PAC4J versions 5.7.10 and 6.4.1

EPSS 0.01% · 0.4th percentile

Risk Scores

CVSS v4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N

EPSS Score

0.01%

0.4th percentile

Affected Products

Vendor	Product	Versions
PAC4J	PAC4J	5.0, 6.0

Timeline

Apr 17, 2026 CVE Published
Apr 17, 2026 PoC Published
Apr 17, 2026 PoC Published
Apr 17, 2026 CVE Updated
Apr 18, 2026 Security Advisory
May 18, 2026 EPSS Score
May 19, 2026 EPSS Score
May 20, 2026 EPSS Score
May 21, 2026 EPSS Score
May 22, 2026 EPSS Score
May 23, 2026 EPSS Score
May 24, 2026 EPSS Score

References

https://cert.pl/en/posts/2026/04/CVE-2026-40458/ third-party-advisory
https://www.pac4j.org/blog/security-advisory-pac4j-core-and-ldap.html vendor-advisory
https://nvd.nist.gov/vuln/detail/CVE-2026-40458 advisory
https://cert.pl/en/posts/2026/04/CVE-2026-40458 url

Open in Interactive Console →