CVE‐2026‐0636

Title: LDAP Injection Vulnerability in LDAPStoreHelper.java

Issue affecting: BC 1.74 to 1.80.1, BC 1.81, BC 1.82 to BC 1.83.

Fixed versions: BC 1.80.2, BC 1.81.1, BC 1.84

Platform affected: Java 4 and later.

Bouncy Castle provides a secondary API for use with LDAP servers for doing certificate processing. Pre-1.84, using similar code to the problem code fixed by CVE-2023-33201 the implementation of the LDAP classes under org.bouncycastle.x509 did not check the X.500 name of any certificate, subject, or issuer being passed in for LDAP wild cards, meaning the presence of a wild card may lead to Information Disclosure if the API is used in a manner which may accept un-vetted certificates. The API in question needs to be invoked explicitly in order to be used.

The fix was introduced in commit d20cdb8430e09224114fec0179a71859929fcbde which refactored out the LDAP DN parsing code used across the APIs into a single class.

Uh oh!

CVE‐2026‐0636

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Clone this wiki locally