CVE-2026-23903

Name of the Vulnerable Software and Affected Versions Apache Shiro versions prior to 2.0.7

Description An authentication bypass issue exists in Apache Shiro. The issue relates to bypassing authentication when accessing static files on case-insensitive filesystems by varying the case of the filename in the request, if only lower-case filters are present in Shiro. The issue only affects static files.

Recommendations Upgrade to version 2.0.7, which resolves the issue. Configure filterChainResolver.caseInsensitive = true in shiro.ini. Configure shiro.caseInsensitive=true in application.properties.