## Bouncy Castle BC-JAVA Hit by Critical LDAP Injection Vulnerability CVE-2026-0636 Affecting Millions of Deployments A critical LDAP injection vulnerability has been identified in the Legion of the Bouncy Castle Inc. BC-JAVA cryptographic library, potentially exposing countless applications that rely on the widely-used open-source security toolkit. The flaw, tracked as CVE-2026-0636 and classified under CWE-90, specifically targets the LDAPStoreHelper program module across all provider modules within the BC-JAVA ecosystem. The vulnerability stems from improper neutralization of special elements used in LDAP queries, creating a direct attack vector for malicious actors to manipulate directory service interactions. The affected versions span from BC-JAVA 1.74 through any release prior to 1.84, with the vulnerable package being the org.bouncycastle:bcprov-jdk18on artifact at version 1.78.1. This version range represents a significant portion of the library's recent deployment history, as Bouncy Castle remains one of the most referenced cryptographic libraries in the Java ecosystem. Security researchers have flagged the issue through multiple vulnerability tracking platforms, including the National Vulnerability Database (NVD), Sonatype's OSS Index, and GitHub's security advisories. Applications leveraging Bouncy Castle's LDAP functionality face elevated risk of unauthorized directory access, authentication bypass, or data exfiltration if the vulnerable component is exposed to untrusted input. Developers using BC-JAVA in enterprise software, financial systems, or identity management platforms should immediately audit their dependencies and upgrade to version 1.84 or later. The library's pervasive use in both commercial and open-source projects means this vulnerability could have downstream effects across supply chains, warranting priority attention from security teams and DevOps personnel responsible for maintaining Java-based infrastructure. --- - **Source**: GitHub Issues - **Sector**: The Lab - **Tags**: LDAP injection, CVE-2026-0636, BC-JAVA, Bouncy Castle, CWE-90 - **Credibility**: unverified - **Published**: 2026-05-04 09:54:12 - **ID**: 79235 - **URL**: https://whisperx.ai/en/intel/79235