CWE-90
AllowedImproper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
Abstraction: Base · Status: Draft
The product constructs all or part of an LDAP query using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended LDAP query when it is sent to a downstream component.
114 vulnerabilities reference this CWE, most recent first.
GHSA-X96M-RH44-VGV8
Vulnerability from github – Published: 2026-06-17 18:35 – Updated: 2026-06-18 14:37A remote attacker can inject LDAP special characters into the Distinguished Name (DN) construction in DefaultLdapRealm class. User-supplied username input is directly concatenated into the LDAP DN template without any escaping of RFC 2253 special characters. This allows an attacker to manipulate the DN structure used for LDAP bind authentication, potentially bypassing authentication or impersonating other users.
This issue affects all Apache Shiro versions through 2.2.0, and 3.0.0-alpha-1 when using DefaultLdapRealm Upgrade to Apache Shiro 2.2.1 or 3.0.0-alpha-2 or later, which fixes the issue.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.shiro:shiro-core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.2.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.shiro:shiro-core"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0-alpha-0"
},
{
"fixed": "3.0.0-alpha-2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-49268"
],
"database_specific": {
"cwe_ids": [
"CWE-90"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-18T14:37:08Z",
"nvd_published_at": "2026-06-17T14:17:56Z",
"severity": "HIGH"
},
"details": "A remote attacker can inject LDAP special characters into the Distinguished Name (DN) construction in DefaultLdapRealm class. User-supplied username input is directly concatenated into the LDAP DN template without any escaping of RFC 2253 special characters. This allows an attacker to manipulate the DN structure used for LDAP bind authentication, potentially bypassing authentication or impersonating other users.\n\nThis issue affects all Apache Shiro versions through 2.2.0, and 3.0.0-alpha-1 when using\u00a0DefaultLdapRealm\nUpgrade to Apache Shiro 2.2.1 or 3.0.0-alpha-2 or later, which fixes the issue.",
"id": "GHSA-x96m-rh44-vgv8",
"modified": "2026-06-18T14:37:08Z",
"published": "2026-06-17T18:35:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-49268"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/shiro"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/svszql3od8td7hn6conyj2oq70v53b5s"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2026/06/17/8"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/S:P/AU:Y/R:A/RE:L/U:Red",
"type": "CVSS_V4"
}
],
"summary": "Apache Shiro: LDAP DN Injection in DefaultLdapRealm"
}
GHSA-XJC4-4M54-94XR
Vulnerability from github – Published: 2022-12-07 12:30 – Updated: 2022-12-12 15:30Improper neutralization of special elements used in an LDAP query ('LDAP Injection') vulnerability in ActiveDirectory and Sharepoint ActiveDirectory authority connectors of Apache ManifoldCF allows an attacker to manipulate the LDAP search queries (DoS, additional queries, filter manipulation) during user lookup, if the username or the domain string are passed to the UserACLs servlet without validation. This issue affects Apache ManifoldCF version 2.23 and prior versions.
{
"affected": [],
"aliases": [
"CVE-2022-45910"
],
"database_specific": {
"cwe_ids": [
"CWE-74",
"CWE-90"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-12-07T10:15:00Z",
"severity": "MODERATE"
},
"details": "Improper neutralization of special elements used in an LDAP query (\u0027LDAP Injection\u0027) vulnerability in ActiveDirectory and Sharepoint ActiveDirectory authority connectors of Apache ManifoldCF allows an attacker to manipulate the LDAP search queries (DoS, additional queries, filter manipulation) during user lookup, if the username or the domain string are passed to the UserACLs servlet without validation. This issue affects Apache ManifoldCF version 2.23 and prior versions.",
"id": "GHSA-xjc4-4m54-94xr",
"modified": "2022-12-12T15:30:31Z",
"published": "2022-12-07T12:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45910"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/m693p0dq6jvwwvmy2wnhj6k854z0s444"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-XP6H-P4CJ-42W8
Vulnerability from github – Published: 2024-05-14 18:31 – Updated: 2024-07-03 18:41An issue was discovered in linqi before 1.4.0.1 on Windows. There is LDAP injection.
{
"affected": [],
"aliases": [
"CVE-2024-33868"
],
"database_specific": {
"cwe_ids": [
"CWE-79",
"CWE-90"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-14T16:17:22Z",
"severity": "CRITICAL"
},
"details": "An issue was discovered in linqi before 1.4.0.1 on Windows. There is LDAP injection.",
"id": "GHSA-xp6h-p4cj-42w8",
"modified": "2024-07-03T18:41:33Z",
"published": "2024-05-14T18:31:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-33868"
},
{
"type": "WEB",
"url": "https://linqi.help/Updates/en#/SecurityUpdates"
},
{
"type": "WEB",
"url": "https://www.linqi.de/de-DE/blog.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XQ73-FVMR-JVMM
Vulnerability from github – Published: 2026-06-26 17:32 – Updated: 2026-06-26 17:32Summary
Description
An LDAP Injection (CWE-90) vulnerability in the MSISDN authentication module allows an unauthenticated, remote attacker to obtain an arbitrary OpenAM session without a password in the default trusted gateway configuration. This impacts OpenAM Community Edition through version 16.0.6. This issue was patched in version 16.1.1.
Impact
OpenAM deployments through version 16.0.6 that have MSISDN enabled are potentially affected. This enables a pre-authentication login bypass for any realm where an MSISDN module instance is enabled in an authentication chain and reachable through the trusted-gateway list, which allows all traffic by default. The request-supplied MSISDN value was concatenated directly into an LDAP search filter. The resulting OpenAM session is a normal authenticated session for the matched user.
Patch
This has been patched in OpenAM Community Edition version 16.1.1. Users are encouraged to update to the latest release.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.openidentityplatform.openam:openam-auth-msisdn"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "16.1.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-46619"
],
"database_specific": {
"cwe_ids": [
"CWE-1188",
"CWE-90"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-26T17:32:18Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "## Summary\n\n**Description**\n\nAn LDAP Injection (CWE-90) vulnerability in the MSISDN authentication module allows an unauthenticated, remote attacker to obtain an arbitrary OpenAM session without a password in the default trusted gateway configuration. This impacts OpenAM Community Edition through version 16.0.6. This issue was patched in version 16.1.1.\n\n## Impact\nOpenAM deployments through version 16.0.6 that have MSISDN enabled are potentially affected. This enables a pre-authentication login bypass for any realm where an MSISDN module instance is enabled in an authentication chain and reachable through the trusted-gateway list, which allows all traffic by default. The request-supplied MSISDN value was concatenated directly into an LDAP search filter. The resulting OpenAM session is a normal authenticated session for the matched user.\n\n## Patch\nThis has been patched in OpenAM Community Edition version 16.1.1. Users are encouraged to update to the latest release.",
"id": "GHSA-xq73-fvmr-jvmm",
"modified": "2026-06-26T17:32:18Z",
"published": "2026-06-26T17:32:18Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/OpenIdentityPlatform/OpenAM/security/advisories/GHSA-xq73-fvmr-jvmm"
},
{
"type": "PACKAGE",
"url": "https://github.com/OpenIdentityPlatform/OpenAM"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OpenAM Authentication Bypass via MSISDN LDAP Injection"
}
Mitigation MIT-5
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
CAPEC-136: LDAP Injection
An attacker manipulates or crafts an LDAP query for the purpose of undermining the security of the target. Some applications use user input to create LDAP queries that are processed by an LDAP server. For example, a user might provide their username during authentication and the username might be inserted in an LDAP query during the authentication process. An attacker could use this input to inject additional commands into an LDAP query that could disclose sensitive information. For example, entering a * in the aforementioned query might return information about all users on the system. This attack is very similar to an SQL injection attack in that it manipulates a query to gather additional information or coerce a particular return value.