PT-2026-50410 · Apache · Apache Shiro

Published

2026-06-17

Updated

2026-06-17

CVE-2026-49268

CVSS v4.0

8.8

High

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/S:P/AU:Y/R:A/RE:L/U:Red

Name of the Vulnerable Software and Affected Versions Apache Shiro versions prior to 2.2.1 Apache Shiro versions prior to 3.0.0-alpha-2

Description A remote attacker can inject LDAP special characters into the Distinguished Name (DN) construction within the DefaultLdapRealm class. User-supplied username input is directly concatenated into the LDAP DN template without escaping RFC 2253 special characters. This allows an attacker to manipulate the DN structure used for LDAP bind authentication, potentially leading to authentication bypass or user impersonation.

Recommendations Upgrade to version 2.2.1 or later. Upgrade to version 3.0.0-alpha-2 or later.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-90

Related Identifiers

CVE-2026-49268

Affected Products

Apache Shiro

PT-2026-50410 · Apache · Apache Shiro

CVE-2026-49268

Weakness Enumeration

Related Identifiers

Affected Products

References · 3