CVE-2026-40458

Name of the Vulnerable Software and Affected Versions PAC4J versions prior to 5.7.10 PAC4J versions prior to 6.4.1

Description Cross-Site Request Forgery (CSRF) occurs when a malicious attacker crafts a website that automatically submits a forged request using a token whose hash collides with the victim's legitimate CSRF token. This is possible because collisions in the deterministic String.hashCode() function can be computed directly, reducing the security space of the token to 32 bits. This allows an attacker to bypass protections and perform state-changing operations, such as profile updates, password changes, and account linking, without the victim's consent, without needing to know the actual token or its hash beforehand.

Recommendations Update to version 5.7.10. Update to version 6.4.1.