CVE-2026-0636 Overview
CVE-2026-0636 is an LDAP Injection vulnerability affecting the Legion of the Bouncy Castle BC-JAVA cryptographic library. The vulnerability exists in the LDAPStoreHelper component within the prov modules, where improper neutralization of special elements used in LDAP queries allows attackers to manipulate LDAP operations through crafted input.
Bouncy Castle is a widely-used Java cryptographic library that provides cryptographic APIs and certificate handling capabilities. The vulnerable code fails to properly escape special characters in LDAP filter expressions, potentially allowing attackers to modify LDAP query semantics when certificate store operations interact with LDAP directories.
Critical Impact
Attackers can inject malicious LDAP filter expressions to bypass authentication checks, extract sensitive directory information, or modify query logic in applications that use Bouncy Castle's LDAP certificate store functionality.
Affected Products
- BC-JAVA bcprov versions 1.74 through 1.83
- Bouncy Castle prov modules on all platforms
- Applications using X509LDAPCertStoreSpi or LDAPStoreHelper components
Discovery Timeline
- 2026-04-15 - CVE-2026-0636 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2026-0636
Vulnerability Analysis
This LDAP Injection vulnerability (CWE-90) stems from insufficient input sanitization in the Bouncy Castle LDAP certificate store implementation. When applications use BC-JAVA to retrieve certificates from LDAP directories, user-controlled input incorporated into LDAP filter expressions without proper escaping can modify the intended query structure.
The vulnerability is network-accessible with low attack complexity, requiring no privileges or user interaction for exploitation. While confidentiality impact is limited, successful exploitation could allow attackers to extract information beyond their authorized scope from LDAP directories or manipulate certificate retrieval logic.
Root Cause
The root cause lies in the LDAPStoreHelper and related LDAP classes within the prov modules, which failed to escape LDAP special characters before constructing filter expressions. According to RFC 2254, characters such as *, (, ), \, and null bytes have special meaning in LDAP filters and must be properly escaped to prevent injection attacks.
The security patch introduces a dedicated LDAPUtils class that provides centralized LDAP filter escaping functionality, ensuring all special characters are properly encoded before being incorporated into LDAP queries.
Attack Vector
The attack vector is network-based, where an attacker supplies malicious input containing LDAP metacharacters to an application using the vulnerable Bouncy Castle components. When this input is used in certificate lookups or other LDAP operations, the injected characters can:
- Modify filter logic using * wildcards or parentheses
- Escape out of string contexts using backslash sequences
- Inject null bytes to truncate or terminate queries unexpectedly
The security patch implements proper escaping using the following approach:
// Security patch: LDAPUtils.java - LDAP filter character escaping
// Source: https://github.com/bcgit/bc-java/commit/d20cdb8430e09224114fec0179a71859929fcbde
+package org.bouncycastle.ldap;
+
+import org.bouncycastle.util.Strings;
+
+/**
+ * General utility methods for assisting with preparation of LDAP queries.
+ */
+public class LDAPUtils
+{
+ private static String[] FILTER_ESCAPE_TABLE = new String['\\' + 1];
+
+ static
+ {
+ // Filter encoding table -------------------------------------
+
+ // fill with char itself
+ for (char c = 0; c < FILTER_ESCAPE_TABLE.length; c++)
+ {
+ FILTER_ESCAPE_TABLE[c] = String.valueOf(c);
+ }
+
+ // escapes (RFC2254)
+ FILTER_ESCAPE_TABLE['*'] = "\\2a";
+ FILTER_ESCAPE_TABLE['('] = "\\28";
+ FILTER_ESCAPE_TABLE[')'] = "\\29";
+ FILTER_ESCAPE_TABLE['\\'] = "\\5c";
+ FILTER_ESCAPE_TABLE[0] = "\\00";
+ }
Source: GitHub Commit Changes
Detection Methods for CVE-2026-0636
Indicators of Compromise
- LDAP query logs containing unescaped special characters such as *, (, ), or \ in filter expressions
- Unusual certificate retrieval patterns or LDAP queries targeting unexpected directory paths
- Application logs showing LDAP filter syntax errors indicating injection attempts
- Anomalous LDAP bind operations following certificate store queries
Detection Strategies
- Monitor LDAP server logs for filter expressions containing suspicious character sequences like )(, *)(, or encoded escape sequences
- Implement application-level logging to capture inputs passed to Bouncy Castle certificate store operations
- Deploy network-level inspection to identify LDAP traffic with malformed or suspicious filter syntax
- Use static analysis tools to identify BC-JAVA usage patterns that pass untrusted input to LDAP operations
Monitoring Recommendations
- Enable detailed LDAP query logging on directory servers to capture filter expressions
- Configure SentinelOne Singularity to monitor Java applications for anomalous LDAP connection patterns
- Implement alerting for LDAP queries with unusually complex or nested filter expressions
- Review application dependencies for vulnerable BC-JAVA versions (1.74 through 1.83)
How to Mitigate CVE-2026-0636
Immediate Actions Required
- Upgrade Bouncy Castle BC-JAVA to version 1.84 or later immediately
- Audit applications to identify usage of X509LDAPCertStoreSpi, LDAPStoreHelper, or related LDAP certificate store components
- Review and validate all input sources that flow into LDAP certificate lookups
- Implement additional input validation at the application layer as defense-in-depth
Patch Information
The vulnerability has been addressed in BC-JAVA version 1.84, which introduces the LDAPUtils class providing centralized LDAP filter escaping. The patch refactors common LDAP handling code to ensure consistent and proper escaping of special characters per RFC 2254.
For detailed patch information, refer to the GitHub Commit Changes and the GitHub CVE-2026-0636 Details.
Workarounds
- Implement application-level input validation to reject or escape LDAP special characters before passing data to Bouncy Castle APIs
- If LDAP certificate store functionality is not required, disable or remove usage of X509LDAPCertStoreSpi
- Deploy network-level LDAP filtering to block queries containing suspicious injection patterns
- Consider using alternative certificate retrieval mechanisms that do not rely on LDAP
# Maven dependency update example
# Update pom.xml to use patched Bouncy Castle version
mvn versions:use-latest-releases -Dincludes=org.bouncycastle:bcprov-jdk18on
# Verify current Bouncy Castle version in project
mvn dependency:tree | grep bouncycastle
# Force update to secure version 1.84+
mvn versions:set-property -Dproperty=bouncycastle.version -DnewVersion=1.84
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
