Apache · Apache Shiro · CVE-2026-23903
**Name of the Vulnerable Software and Affected Versions**
Apache Shiro versions prior to 2.0.7
**Description**
An authentication bypass issue exists in Apache Shiro. The issue relates to bypassing authentication when accessing static files on case-insensitive filesystems by varying the case of the filename in the request, if only lower-case filters are present in Shiro. The issue only affects static files.
**Recommendations**
Upgrade to version 2.0.7, which resolves the issue.
Configure `filterChainResolver.caseInsensitive = true` in `shiro.ini`.
Configure `shiro.caseInsensitive=true` in `application.properties`.