CVE-2026-0636 Overview
CVE-2026-0636 is an LDAP injection vulnerability in the Legion of the Bouncy Castle BC-JAVA bcprov cryptography library. The flaw resides in the LDAPStoreHelper class within the prov modules. Affected releases fail to properly neutralize special characters used in Lightweight Directory Access Protocol (LDAP) queries. This issue is categorized under CWE-90 — Improper Neutralization of Special Elements used in an LDAP Query. The defect affects BC-JAVA versions from 1.74 up to but not including 1.84. Applications that pass attacker-controllable input through LDAPStoreHelper for certificate or CRL retrieval may issue malformed or injected LDAP filters.
Critical Impact
Attackers can manipulate LDAP queries issued through LDAPStoreHelper to alter directory lookups for X.509 certificates and CRLs, potentially affecting trust decisions made by applications that rely on Bouncy Castle.
Affected Products
- Legion of the Bouncy Castle BC-JAVA bcprov version 1.74
- Legion of the Bouncy Castle BC-JAVA bcprov versions 1.75 through 1.83
- Java applications using LDAPStoreHelper from the prov modules for LDAP-based certificate or CRL retrieval
Discovery Timeline
- 2026-04-15 - CVE-2026-0636 published to NVD
- 2026-04-17 - Last updated in NVD database
Technical Details for CVE-2026-0636
Vulnerability Analysis
The LDAPStoreHelper class in bcprov constructs LDAP search filters used to retrieve X.509 certificates, cross-certificate pairs, and certificate revocation lists from directory servers. The implementation does not adequately escape special LDAP filter characters such as *, (, ), \, and NUL before embedding caller-supplied selector values into the filter string. An attacker who controls input that flows into a certificate or CRL selector can alter the structure of the resulting LDAP query.
LDAP injection allows the attacker to broaden, narrow, or otherwise change the directory query semantics. In a certificate retrieval context, this can cause the helper to return unexpected entries, no entries, or to query attributes outside the intended scope. Applications that subsequently rely on these results for trust validation, signature verification, or PKI operations may make decisions based on directory data the attacker has influenced. The vulnerability is reachable over the network because LDAP filter content typically originates from certificate fields or application input that the attacker can shape.
Root Cause
The root cause is missing escaping of LDAP metacharacters in filter assembly within LDAPStoreHelper. RFC 4515 requires that characters \, *, (, ), and the NUL byte be encoded as backslash-hex sequences before inclusion in a filter. The affected releases concatenate selector values into the filter string without applying this escaping, which permits filter syntax injection.
Attack Vector
An attacker supplies crafted input that reaches a selector field consumed by LDAPStoreHelper, for example through a certificate subject, issuer name, or an application-level parameter used during PKI lookup. When the helper queries the directory, the injected metacharacters change the filter structure. Network access to the application and the ability to influence selector content are the prerequisites for exploitation. No authentication is required at the LDAP layer for the injection itself to occur.
A detailed description of the affected code paths and the corrective changes is available in the Bouncy Castle CVE-2026-0636 Wiki and the upstream fix commit.
Detection Methods for CVE-2026-0636
Indicators of Compromise
- LDAP server logs showing search filters containing unescaped *, (, or ) characters originating from application service accounts using Bouncy Castle.
- Unexpected broad-match LDAP queries against certificate, CRL, or crossCertificatePair attributes.
- Application logs showing PKI lookups for principals or selectors that contain LDAP metacharacters.
Detection Strategies
- Inventory Java dependencies and flag any bcprov-* artifact at versions 1.74 through 1.83, including transitive dependencies surfaced by tools such as mvn dependency:tree or gradle dependencies.
- Search source code for references to org.bouncycastle.jce.provider.X509LDAPCertStoreParameters and LDAPStoreHelper to identify call sites that pass externally influenced selectors.
- Enable verbose LDAP query logging on directory servers and alert on filters that contain metacharacters in user-controlled positions.
Monitoring Recommendations
- Forward LDAP audit logs to a SIEM or data lake and build detections for malformed or unusually broad filter expressions originating from PKI service accounts.
- Monitor for anomalous spikes in LDAP search volume or response size from hosts running Java applications that perform certificate path validation.
- Track outbound LDAP traffic from application servers to ensure it terminates only at authorized directory servers.
How to Mitigate CVE-2026-0636
Immediate Actions Required
- Upgrade bcprov to version 1.84 or later across all Java applications and rebuild dependent artifacts.
- Identify and remediate transitive uses of vulnerable bcprov versions in container images, application servers, and packaged software.
- Where LDAPStoreHelper is used with externally influenced selectors, validate and escape input at the application boundary as a defense-in-depth measure.
Patch Information
The issue is resolved in Bouncy Castle BC-JAVA release 1.84. The corrective change is published in the upstream commit d20cdb8, which adds proper escaping of LDAP filter metacharacters in LDAPStoreHelper. Refer to the Bouncy Castle project wiki entry for CVE-2026-0636 for upgrade guidance.
Workarounds
- Restrict the directory servers reachable from applications using bcprov to trusted PKI directories only, reducing the impact of injected filters.
- Apply network egress controls so that only authorized LDAP endpoints can be contacted by Java application servers.
- Where upgrading is not immediately possible, replace LDAPStoreHelper-based certificate retrieval with an alternative CertStore implementation that performs proper filter escaping, or pre-sanitize all selector inputs by encoding \, *, (, ), and NUL per RFC 4515 before invoking the helper.
# Example: identify vulnerable bcprov versions in a Maven project
mvn dependency:tree -Dincludes=org.bouncycastle:bcprov-jdk15on,org.bouncycastle:bcprov-jdk18on
# Example: enforce a fixed version in Gradle
# build.gradle
# configurations.all {
# resolutionStrategy.force 'org.bouncycastle:bcprov-jdk18on:1.84'
# }
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
