Home

Description

Improper neutralization of special elements used in an LDAP query ('LDAP injection') vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcprov on all (prov modules). This vulnerability is associated with program files LDAPStoreHelper. This issue affects BC-JAVA: from 1.74 before 1.80.2, from 1.81 before 1.81.1, from 1.82 before 1.84.

PUBLISHED Reserved 2026-01-06 | Published 2026-04-15 | Updated 2026-05-18 | Assigner bcorg




MEDIUM: 5.5CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/S:N/AU:Y/R:A/RE:M/U:Amber

Problem types

CWE-90 Improper neutralization of special elements used in an LDAP query ('LDAP injection')

Product status

Default status
unaffected

1.74 (maven) before 1.80.2
affected

1.81 (maven) before 1.81.1
affected

1.82 (maven) before 1.84
affected

Credits

Prasanth Sundararajan (prasanth.srihari@gmail.com) finder

References

github.com/bcgit/bc-java/wiki/CVE‐2026‐0636 vendor-advisory

github.com/...ommit/d20cdb8430e09224114fec0179a71859929fcbde patch

cve.org (CVE-2026-0636)

nvd.nist.gov (CVE-2026-0636)

Download JSON