CVE-2026-0636: Bouncy Castle has an LDAP injection

April 17, 2026 (updated April 18, 2026)

Improper neutralization of special elements used in an LDAP query (‘LDAP injection’) vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcprov on all (prov modules). This vulnerability is associated with program files LDAPStoreHelper.

This issue affects BC-JAVA: from 1.74 before 1.84.

References

github.com/advisories/GHSA-c3fc-8qff-9hwx
github.com/bcgit/bc-java
github.com/bcgit/bc-java/commit/d20cdb8430e09224114fec0179a71859929fcbde
github.com/bcgit/bc-java/wiki/CVE%E2%80%902026%E2%80%900636
nvd.nist.gov/vuln/detail/CVE-2026-0636

Code Behaviors & Features

Detect and mitigate CVE-2026-0636 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →