Apache Shiro security advisories

Security information for Apache Shiro

Reporting

Do you want disclose a potential security issue for Apache Shiro? You can read more about the projects’ security policy on their security page, and email your report to the Apache Shiro Security Team.

Advisories

This section is experimental: it provides advisories since 2023 and may lag behind the official CVE publications. It may also lack details found on the project security page. If you have any feedback on how you would like this data to be provided, you are welcome to reach out on our public mailinglist or privately on security@apache.org

Remember-me cookie isn’t checked for expiry on the server

CVE-2026-56130 [CVE] [CVE json] [OSV json]

Last updated: 2026-06-25T08:44:28.652Z

Affected

  • Apache Shiro from 1.2.4 through 2.99.99
  • Apache Shiro from 3.0.0-alpha-0 through 3.0.0-alpha-1

Description

"Remember me" cookie age is not verified on the server. This potentially allows an attacker to intercept a valid cookie and reuse it indefinitely, even after the configured expiration time has passed.
This issue affects all Apache Shiro versions from 1.2.4 through 2.x, and 3.0.0-alpha-1, only when RememberMe functionality is enabled.

Upgrade to version 3.0.0 or later, which fixes the issue.

References

Credits

Authentication bypass in Guice-Web integration

CVE-2026-56091 [CVE] [CVE json] [OSV json]

Last updated: 2026-06-25T08:45:18.079Z

Affected

  • Apache Shiro through 2.99.99
  • Apache Shiro from 3.0.0-alpha-0 through 3.0.0-alpha-1

Description

When using Apache Shiro with the shiro-guice module in a web servlet context, a specially crafted HTTP request may cause an authentication bypass.
This vulnerability is similar to https://www.cve.org/CVERecord?id=CVE-2020-1957, except that it affects the shiro-guice module instead of the shiro-spring module.

This issue affects all Apache Shiro versions through 2.x, and 3.0.0-alpha-1 only when using shiro-guice module in a web servlet context.

Upgrade to version 3.0.0 or later, which fixes the issue.

References

Credits

LDAP DN Injection in DefaultLdapRealm

CVE-2026-49268 [CVE] [CVE json] [OSV json]

Last updated: 2026-06-17T13:07:43.325Z

Affected

  • Apache Shiro through 2.2.0
  • Apache Shiro from 3.0.0-alpha-0 through 3.0.0-alpha-1

Description

A remote attacker can inject LDAP special characters into the Distinguished Name (DN) construction in DefaultLdapRealm class. User-supplied username input is directly concatenated into the LDAP DN template without any escaping of RFC 2253 special characters. This allows an attacker to manipulate the DN structure used for LDAP bind authentication, potentially bypassing authentication or impersonating other users.

This issue affects all Apache Shiro versions through 2.2.0, and 3.0.0-alpha-1 when using DefaultLdapRealm
Upgrade to Apache Shiro 2.2.1 or 3.0.0-alpha-2 or later, which fixes the issue.

References

Credits

  • zhaokaifei (reporter) - ChinaTelecom (finder)
  • Lenny Primak lenny@flowlogix.com (remediation developer)

Jakarta EE open redirect via untrusted Referer in post-login redirect flow

CVE-2026-48589 [CVE] [CVE json] [OSV json]

Last updated: 2026-05-25T20:20:09.531Z

Affected

  • Apache Shiro from 2.0.0-alpha-0 through 2.2.0
  • Apache Shiro from 3.0.0-alpha-0 through 3.0.0-alpha-1

Description

Apache Shiro’s Jakarta EE module used the HTTP Referer header in certain cases to issue redirect after a user login.
In affected versions, insufficient validation of this client-controlled value could allow an attacker to influence the redirect target in applications using the Jakarta EE module.
This issue affects Apache Shiro from 2.0-alpha to 2.2.0, and 3.0.0-alpha-1, only when using shiro-jakarta-ee integration module.

References

Credits

Open redirect and SSRF (requires valid credentials)

CVE-2026-44598 [CVE] [CVE json] [OSV json]

Last updated: 2026-05-25T20:19:50.656Z

Affected

  • Apache Shiro Jakarta EE module from 2.0.0-alpha-0 through 2.1.0
  • Apache Shiro Jakarta EE module from 3.0.0-alpha-0 through 3.0.0-alpha-1

Description

With valid login credentials, URL Redirection to Untrusted Site ('Open Redirect'), Server-Side Request Forgery (SSRF) vulnerability in Apache Shiro.

This issue affects Apache Shiro from 2.0-alpha to 2.1.0, and 3.0.0-alpha-1, only when using shiro-jakarta-ee integration module.

Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue by encrypting the cookie.

After successful login, Jakarta EE integration module uses shiroSavedRequest cookie to redirect to a particular web page after login.
This cookie was not validated, and can be forged to send a HTTP GET request from the server itself to an arbitrary URL from the cookie.

References

Credits

Shiro’s native session and rememberMe cookies do not have secure flag set by default

CVE-2026-43828 [CVE] [CVE json] [OSV json]

Last updated: 2026-05-25T20:19:30.172Z

Affected

  • Apache Shiro from 1.0 through 2.1.0
  • Apache Shiro from 3.0.0-alpha-0 through 3.0.0-alpha-1

Description

Default configurations of Apache Shiro send sensitive cookies in HTTPS session without 'Secure' attribute.

This issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1.

Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue.

In the affected versions, Shiro-native session manager, as well as Remember-Me manager sends JSESSIONID and rememberMe cookies without 'secure' attribute by default.

References

Credits

Session fixation: new session is not created after login by default

CVE-2026-43827 [CVE] [CVE json] [OSV json]

Last updated: 2026-05-25T20:19:09.384Z

Affected

  • Apache Shiro from 1.0 through 2.1.0
  • Apache Shiro from 3.0.0-alpha-0 through 3.0.0-alpha-1

Description

Default configurations of Apache Shiro have a session fixation vulnerability.

This issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1.

Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue.

In the affected versions, when a session already exists, it is not invalidated upon successful login, nor is a new session being generated with a new ID.

References

Credits

Auth bypass when accessing static files only on case-insensitive filesystems

CVE-2026-23903 [CVE] [CVE json] [OSV json]

Last updated: 2026-02-09T09:26:19.996Z

Affected

  • Apache Shiro before 2.0.7

Description

Authentication Bypass by Alternate Name vulnerability in Apache Shiro.

This issue affects Apache Shiro: before 2.0.7.

Users are recommended to upgrade to version 2.0.7, which fixes the issue.

The issue only effects static files. If static files are served from a case-insensitive filesystem,
such as default macOS setup, static files may be accessed by varying the case of the filename in the request.
If only lower-case (common default) filters are present in Shiro, they may be bypassed this way.

Shiro 2.0.7 and later has a new parameters to remediate this issue
shiro.ini: filterChainResolver.caseInsensitive = true
application.propertie: shiro.caseInsensitive=true

Shiro 3.0.0 and later (upcoming) makes this the default.

References

Credits

  • Jesse Yang (finder)
  • Lenny Pimak (remediation developer)

Brute force attack possible to determine valid user names

CVE-2026-23901 [CVE] [CVE json] [OSV json]

Last updated: 2026-02-10T09:25:49.952Z

Affected

  • Apache Shiro before 2.0.7

Description

Observable Timing Discrepancy vulnerability in Apache Shiro.

This issue affects Apache Shiro: from 1.*, 2.* before 2.0.7.

Users are recommended to upgrade to version 2.0.7 or later, which fixes the issue.

Prior to Shiro 2.0.7, code paths for non-existent vs. existing users are different enough,
that a brute-force attack may be able to tell, by timing the requests only, determine if
the request failed because of a non-existent user vs. wrong password.

The most likely attack vector is a local attack only.
Shiro security model https://shiro.apache.org/security-model.html#username_enumeration discusses this as well.

Typically, brute force attack can be mitigated at the infrastructure level.

References

Credits

  • 4ra1n (finder)
  • Y4tacker (finder)
  • lprimak (remediation developer)

URL Redirection to Untrusted Site (‘Open Redirect’) vulnerability in FORM authentication feature Apache Shiro.

CVE-2023-46750 [CVE] [CVE json] [OSV json]

Last updated: 2023-12-14T08:15:56.341Z

Affected

  • Apache Shiro before 1.13.0
  • Apache Shiro from 2.0.0-alpha-1 before 2.0.0-alpha-4

Description

URL Redirection to Untrusted Site (‘Open Redirect’) vulnerability when “form” authentication is used in Apache Shiro.
Mitigation: Update to Apache Shiro 1.13.0+ or 2.0.0-alpha-4+.

References

Credits

  • Claudio Villella (finder)

Apache Shiro before 1.13.0 or 2.0.0-alpha-4, may be susceptible to a path traversal attack that results in an authentication bypass when used together with path rewriting

CVE-2023-46749 [CVE] [CVE json] [OSV json]

Last updated: 2024-01-19T18:12:43.905Z

Affected

  • Apache Shiro before 1.13.0
  • Apache Shiro from 2.0.0-alpha-1 before 2.0.0-alpha-4

Description

Apache Shiro before 1.13.0 or 2.0.0-alpha-4, may be susceptible to a path traversal attack that results in an authentication bypass when used together with path rewriting

Mitigation: Update to Apache Shiro 1.13.0+ or 2.0.0-alpha-4+, or ensure blockSemicolon is enabled (this is the default).

References

Apache Shiro before 1.12.0, or 2.0.0-alpha-3, may be susceptible to a path traversal attack when used together with APIs or other web frameworks that route requests based on non-normalized requests.

CVE-2023-34478 [CVE] [CVE json] [OSV json]

Last updated: 2023-07-24T18:24:43.013Z

Affected

  • Apache Shiro before 1.12.0
  • Apache Shiro before 2.0.0-alpha-3

Description

Apache Shiro, before 1.12.0 or 2.0.0-alpha-3, may be susceptible to a path traversal attack that results in an authentication bypass when used together with APIs or other web frameworks that route requests based on non-normalized requests.

Mitigation: Update to Apache Shiro 1.12.0+ or 2.0.0-alpha-3+

References

Credits

  • tkswifty (finder)
  • Ha1c9on (finder)

Apache Shiro before 1.11.0, when used with Spring Boot 2.6+, may allow authentication bypass through a specially crafted HTTP request

CVE-2023-22602 [CVE] [CVE json]

Last updated: 2023-01-14T09:33:37.695Z

Affected

  • Apache Shiro before 1.11.0 unaffected

Description

When using Apache Shiro before 1.11.0 together with Spring Boot 2.6+, a specially crafted HTTP request may cause an authentication bypass.

The authentication bypass occurs when Shiro and Spring Boot are using different pattern-matching techniques. Both Shiro and Spring Boot < 2.6 default to Ant style pattern matching.

Mitigation: Update to Apache Shiro 1.11.0, or set the following Spring Boot configuration value: spring.mvc.pathmatch.matching-strategy = ant_path_matcher

References

Credits

  • v3ged0ge and Adamytd (finder)

Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher

CVE-2022-40664 [CVE] [CVE json] [OSV json]

Last updated: 2022-10-12T07:07:53.344Z

Affected

  • Apache Shiro from Apache Shiro before 1.10.0

Description

Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher.

References

Credits

  • Apache Shiro would like to thank Y4tacker for reporting this issue

Authentication Bypass Vulnerability

CVE-2022-32532 [CVE] [CVE json] [OSV json]

Last updated: 2022-06-28T23:13:16.050Z

Affected

  • Apache Shiro at Before 1.9.1

Description

Apache Shiro before 1.9.1, A RegexRequestMatcher can be misconfigured to be bypassed on some servlet containers. Applications using RegExPatternMatcher with . in the regular expression are possibly vulnerable to an authorization bypass.

References

Credits

  • Apache Shiro would like the thank 4ra1n for reporting this issue.

Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass

CVE-2021-41303 [CVE] [CVE json] [OSV json]

Last updated: 2021-09-17T08:17:09.454Z

Affected

  • Apache Shiro from Apache Shiro before 1.8.0

Description

Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass.

Users should update to Apache Shiro 1.8.0.

References

Credits

  • Apache Shiro would like to thank tsug0d for reporting this issue.