The SAML identifier generated within SAML2Utils.java was found to make use of the apache commons-lang3 RandomStringUtils class which makes them predictable due to RandomStringUtils PRNG's algorithm not being cryptographically strong. This issue only affects the 3.X release of pac4j-saml.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:NPac4j
APPPac4J3.0.0 β 3.8.2
π΅
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
Related vulnerabilities
CVE-2026-40458HIGH7.0ten sam produkt
PAC4J is vulnerable to Cross-Site Request Forgery (CSRF). A malicious attacker can craft a specially designed ...
CVE-2026-40459HIGH8.7ten sam produkt
PAC4J is vulnerable to LDAP Injection in multiple methods. A low-privileged remote attacker can inject crafted...
CVE-2021-44878HIGH7.5ten sam produkt
If an OpenID Connect provider supports the "none" algorithm (i.e., tokens with no signature), pac4j v5.3.0 (an...