CVE-2026-0636 - Medium Severity Vulnerability
Vulnerable Library - bcprov-jdk18on-1.80.jar
The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains the JCA/JCE provider and low-level API for the BC Java version 1.80 for Java 8 and later.
Library home page: https://www.bouncycastle.org/download/bouncy-castle-java/
Path to dependency file: /OPENAPI-REST-API/openapi-client/kotlin/build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.bouncycastle/bcprov-jdk18on/1.80/e22100b41042decf09cab914a5af8d2c57b5ac4a/bcprov-jdk18on-1.80.jar
Dependency Hierarchy:
- bcpg-jdk18on-1.80.jar (Root Library)
- ❌ bcprov-jdk18on-1.80.jar (Vulnerable Library)
Found in HEAD commit: 1f70e2feccb7006c8d32cc7d4fe62f5cf5e5c34d
Found in base branch: master
Vulnerability Details
Improper neutralization of special elements used in an LDAP query ('LDAP injection') vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcprov on all (prov modules). This vulnerability is associated with program files LDAPStoreHelper.
This issue affects BC-JAVA: from 1.74 before 1.84.
Publish Date: 2026-04-15
URL: CVE-2026-0636
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-04-15
Fix Resolution (org.bouncycastle:bcprov-jdk18on): 1.84
Direct dependency fix Resolution (org.bouncycastle:bcpg-jdk18on): 1.84
Step up your Open Source Security Game with Mend here
CVE-2026-0636 - Medium Severity Vulnerability
The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains the JCA/JCE provider and low-level API for the BC Java version 1.80 for Java 8 and later.
Library home page: https://www.bouncycastle.org/download/bouncy-castle-java/
Path to dependency file: /OPENAPI-REST-API/openapi-client/kotlin/build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.bouncycastle/bcprov-jdk18on/1.80/e22100b41042decf09cab914a5af8d2c57b5ac4a/bcprov-jdk18on-1.80.jar
Dependency Hierarchy:
Found in HEAD commit: 1f70e2feccb7006c8d32cc7d4fe62f5cf5e5c34d
Found in base branch: master
Improper neutralization of special elements used in an LDAP query ('LDAP injection') vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcprov on all (prov modules). This vulnerability is associated with program files LDAPStoreHelper.
This issue affects BC-JAVA: from 1.74 before 1.84.
Publish Date: 2026-04-15
URL: CVE-2026-0636
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Type: Upgrade version
Release Date: 2026-04-15
Fix Resolution (org.bouncycastle:bcprov-jdk18on): 1.84
Direct dependency fix Resolution (org.bouncycastle:bcpg-jdk18on): 1.84
Step up your Open Source Security Game with Mend here