PT-2026-7016 · Apache · Apache Shiro

4Ra1N

Published

2026-01-01

Updated

2026-05-18

CVE-2026-23901

CVSS v3.1

2.5

Low

Vector

AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions Apache Shiro versions 1.* Apache Shiro versions 2.* through 2.0.6

Description An observable timing discrepancy exists in Apache Shiro. Before version 2.0.7, the code paths used for non-existent and existing users differ sufficiently, allowing a brute-force attack to determine if a request fails due to an invalid user or an incorrect password by measuring request timing. The most likely attack vector is a local attack. This issue is related to username enumeration, as discussed in the Shiro security model. Brute force attacks can typically be mitigated at the infrastructure level.

Recommendations Upgrade to Apache Shiro version 2.0.7 or later.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-208

Related Identifiers

CLEANSTART-2026-GH89210

CVE-2026-23901

GHSA-C4QC-4Q9P-M9Q9

Affected Products

Apache Shiro

PT-2026-7016 · Apache · Apache Shiro

CVE-2026-23901

Weakness Enumeration

Related Identifiers

Affected Products

References · 96