Apache Shiro security advisories
Security information for Apache Shiro
Reporting
Do you want disclose a potential security issue for Apache Shiro? You can read more about the projects’ security policy on their security page, and email your report to the Apache Shiro Security Team.
Advisories
This section is experimental: it provides advisories since 2023 and may lag behind the official CVE publications. It may also lack details found on the project security page. If you have any feedback on how you would like this data to be provided, you are welcome to reach out on our public mailinglist or privately on security@apache.org
Remember-me cookie isn’t checked for expiry on the server
CVE-2026-56130 [CVE] [CVE json] [OSV json]
Last updated: 2026-06-25T08:44:28.652Z
Affected
- Apache Shiro from 1.2.4 through 2.99.99
- Apache Shiro from 3.0.0-alpha-0 through 3.0.0-alpha-1
Description
"Remember me" cookie age is not verified on the server. This potentially allows an attacker to intercept a valid cookie and reuse it indefinitely, even after the configured expiration time has passed.
This issue affects all Apache Shiro versions from 1.2.4 through 2.x, and 3.0.0-alpha-1, only when RememberMe functionality is enabled.
Upgrade to version 3.0.0 or later, which fixes the issue.
References
Credits
- Richard Bradley (finder)
- Lenny Primak lenny@flowlogix.com (remediation developer)
Authentication bypass in Guice-Web integration
CVE-2026-56091 [CVE] [CVE json] [OSV json]
Last updated: 2026-06-25T08:45:18.079Z
Affected
- Apache Shiro through 2.99.99
- Apache Shiro from 3.0.0-alpha-0 through 3.0.0-alpha-1
Description
When using Apache Shiro with the shiro-guice module in a web servlet context, a specially crafted HTTP request may cause an authentication bypass.
This vulnerability is similar to https://www.cve.org/CVERecord?id=CVE-2020-1957, except that it affects the shiro-guice module instead of the shiro-spring module.
This issue affects all Apache Shiro versions through 2.x, and 3.0.0-alpha-1 only when using shiro-guice module in a web servlet context.
Upgrade to version 3.0.0 or later, which fixes the issue.
References
Credits
- LocalHost localhost.detect@gmail.com (finder)
- Lenny Primak lenny@flowlogix.com (remediation developer)
LDAP DN Injection in DefaultLdapRealm
CVE-2026-49268 [CVE] [CVE json] [OSV json]
Last updated: 2026-06-17T13:07:43.325Z
Affected
- Apache Shiro through 2.2.0
- Apache Shiro from 3.0.0-alpha-0 through 3.0.0-alpha-1
Description
A remote attacker can inject LDAP special characters into the Distinguished Name (DN) construction in DefaultLdapRealm class. User-supplied username input is directly concatenated into the LDAP DN template without any escaping of RFC 2253 special characters. This allows an attacker to manipulate the DN structure used for LDAP bind authentication, potentially bypassing authentication or impersonating other users.
This issue affects all Apache Shiro versions through 2.2.0, and 3.0.0-alpha-1 when using DefaultLdapRealm
Upgrade to Apache Shiro 2.2.1 or 3.0.0-alpha-2 or later, which fixes the issue.
References
Credits
- zhaokaifei (reporter) - ChinaTelecom (finder)
- Lenny Primak lenny@flowlogix.com (remediation developer)
Jakarta EE open redirect via untrusted Referer in post-login redirect flow
CVE-2026-48589 [CVE] [CVE json] [OSV json]
Last updated: 2026-05-25T20:20:09.531Z
Affected
- Apache Shiro from 2.0.0-alpha-0 through 2.2.0
- Apache Shiro from 3.0.0-alpha-0 through 3.0.0-alpha-1
Description
Apache Shiro’s Jakarta EE module used the HTTP Referer header in certain cases to issue redirect after a user login.
In affected versions, insufficient validation of this client-controlled value could allow an attacker to influence the redirect target in applications using the Jakarta EE module.
This issue affects Apache Shiro from 2.0-alpha to 2.2.0, and 3.0.0-alpha-1, only when using shiro-jakarta-ee integration module.
References
Credits
- Bartlomiej Dmitruk bartek@striga.ai (finder)
- Lenny Primak lenny@flowlogix.com (remediation developer)
Open redirect and SSRF (requires valid credentials)
CVE-2026-44598 [CVE] [CVE json] [OSV json]
Last updated: 2026-05-25T20:19:50.656Z
Affected
- Apache Shiro Jakarta EE module from 2.0.0-alpha-0 through 2.1.0
- Apache Shiro Jakarta EE module from 3.0.0-alpha-0 through 3.0.0-alpha-1
Description
With valid login credentials, URL Redirection to Untrusted Site ('Open Redirect'), Server-Side Request Forgery (SSRF) vulnerability in Apache Shiro.
This issue affects Apache Shiro from 2.0-alpha to 2.1.0, and 3.0.0-alpha-1, only when using shiro-jakarta-ee integration module.
Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue by encrypting the cookie.
After successful login, Jakarta EE integration module uses shiroSavedRequest cookie to redirect to a particular web page after login.
This cookie was not validated, and can be forged to send a HTTP GET request from the server itself to an arbitrary URL from the cookie.
References
Credits
- James Love jameslove2k22@gmail.com (finder)
- Lenny Primak lenny@flowlogix.com (remediation developer)
Shiro’s native session and rememberMe cookies do not have secure flag set by default
CVE-2026-43828 [CVE] [CVE json] [OSV json]
Last updated: 2026-05-25T20:19:30.172Z
Affected
- Apache Shiro from 1.0 through 2.1.0
- Apache Shiro from 3.0.0-alpha-0 through 3.0.0-alpha-1
Description
Default configurations of Apache Shiro send sensitive cookies in HTTPS session without 'Secure' attribute.
This issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1.
Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue.
In the affected versions, Shiro-native session manager, as well as Remember-Me manager sends JSESSIONID and rememberMe cookies without 'secure' attribute by default.References
Credits
- Meteor_Kai 1318723916@qq.com (finder)
- Lenny Primak lenny@flowlogix.com (remediation developer)
Session fixation: new session is not created after login by default
CVE-2026-43827 [CVE] [CVE json] [OSV json]
Last updated: 2026-05-25T20:19:09.384Z
Affected
- Apache Shiro from 1.0 through 2.1.0
- Apache Shiro from 3.0.0-alpha-0 through 3.0.0-alpha-1
Description
Default configurations of Apache Shiro have a session fixation vulnerability.
This issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1.
Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue.
In the affected versions, when a session already exists, it is not invalidated upon successful login, nor is a new session being generated with a new ID.References
Credits
- Rasmus Moorats xx@nns.ee (finder)
- Lenny Primak lenny@flowlogix.com (remediation developer)
Auth bypass when accessing static files only on case-insensitive filesystems
CVE-2026-23903 [CVE] [CVE json] [OSV json]
Last updated: 2026-02-09T09:26:19.996Z
Affected
- Apache Shiro before 2.0.7
Description
Authentication Bypass by Alternate Name vulnerability in Apache Shiro.
This issue affects Apache Shiro: before 2.0.7.
Users are recommended to upgrade to version 2.0.7, which fixes the issue.
The issue only effects static files. If static files are served from a case-insensitive filesystem,such as default macOS setup, static files may be accessed by varying the case of the filename in the request.
If only lower-case (common default) filters are present in Shiro, they may be bypassed this way.
Shiro 2.0.7 and later has a new parameters to remediate this issue
shiro.ini: filterChainResolver.caseInsensitive = true
application.propertie: shiro.caseInsensitive=true
Shiro 3.0.0 and later (upcoming) makes this the default.
References
Credits
- Jesse Yang (finder)
- Lenny Pimak (remediation developer)
Brute force attack possible to determine valid user names
CVE-2026-23901 [CVE] [CVE json] [OSV json]
Last updated: 2026-02-10T09:25:49.952Z
Affected
- Apache Shiro before 2.0.7
Description
Observable Timing Discrepancy vulnerability in Apache Shiro.
This issue affects Apache Shiro: from 1.*, 2.* before 2.0.7.
Users are recommended to upgrade to version 2.0.7 or later, which fixes the issue.
Prior to Shiro 2.0.7, code paths for non-existent vs. existing users are different enough,that a brute-force attack may be able to tell, by timing the requests only, determine if
the request failed because of a non-existent user vs. wrong password.
The most likely attack vector is a local attack only.
Shiro security model https://shiro.apache.org/security-model.html#username_enumeration discusses this as well.
Typically, brute force attack can be mitigated at the infrastructure level.
References
Credits
- 4ra1n (finder)
- Y4tacker (finder)
- lprimak (remediation developer)
URL Redirection to Untrusted Site (‘Open Redirect’) vulnerability in FORM authentication feature Apache Shiro.
CVE-2023-46750 [CVE] [CVE json] [OSV json]
Last updated: 2023-12-14T08:15:56.341Z
Affected
- Apache Shiro before 1.13.0
- Apache Shiro from 2.0.0-alpha-1 before 2.0.0-alpha-4
Description
URL Redirection to Untrusted Site (‘Open Redirect’) vulnerability when “form” authentication is used in Apache Shiro.
Mitigation: Update to Apache Shiro 1.13.0+ or 2.0.0-alpha-4+.
References
Credits
- Claudio Villella (finder)
Apache Shiro before 1.13.0 or 2.0.0-alpha-4, may be susceptible to a path traversal attack that results in an authentication bypass when used together with path rewriting
CVE-2023-46749 [CVE] [CVE json] [OSV json]
Last updated: 2024-01-19T18:12:43.905Z
Affected
- Apache Shiro before 1.13.0
- Apache Shiro from 2.0.0-alpha-1 before 2.0.0-alpha-4
Description
Apache Shiro before 1.13.0 or 2.0.0-alpha-4, may be susceptible to a path traversal attack that results in an authentication bypass when used together with path rewriting
Mitigation: Update to Apache Shiro 1.13.0+ or 2.0.0-alpha-4+, or ensure blockSemicolon is enabled (this is the default).
References
Apache Shiro before 1.12.0, or 2.0.0-alpha-3, may be susceptible to a path traversal attack when used together with APIs or other web frameworks that route requests based on non-normalized requests.
CVE-2023-34478 [CVE] [CVE json] [OSV json]
Last updated: 2023-07-24T18:24:43.013Z
Affected
- Apache Shiro before 1.12.0
- Apache Shiro before 2.0.0-alpha-3
Description
Apache Shiro, before 1.12.0 or 2.0.0-alpha-3, may be susceptible to a path traversal attack that results in an authentication bypass when used together with APIs or other web frameworks that route requests based on non-normalized requests.
Mitigation: Update to Apache Shiro 1.12.0+ or 2.0.0-alpha-3+
References
Credits
- tkswifty (finder)
- Ha1c9on (finder)
Apache Shiro before 1.11.0, when used with Spring Boot 2.6+, may allow authentication bypass through a specially crafted HTTP request
CVE-2023-22602 [CVE] [CVE json]
Last updated: 2023-01-14T09:33:37.695Z
Affected
- Apache Shiro before 1.11.0 unaffected
Description
When using Apache Shiro before 1.11.0 together with Spring Boot 2.6+, a specially crafted HTTP request may cause an authentication bypass.
The authentication bypass occurs when Shiro and Spring Boot are using different pattern-matching techniques. Both Shiro and Spring Boot < 2.6 default to Ant style pattern matching.
Mitigation: Update to Apache Shiro 1.11.0, or set the following Spring Boot configuration value: spring.mvc.pathmatch.matching-strategy = ant_path_matcher
References
Credits
- v3ged0ge and Adamytd (finder)
Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher
CVE-2022-40664 [CVE] [CVE json] [OSV json]
Last updated: 2022-10-12T07:07:53.344Z
Affected
- Apache Shiro from Apache Shiro before 1.10.0
Description
Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher.
References
Credits
- Apache Shiro would like to thank Y4tacker for reporting this issue
Authentication Bypass Vulnerability
CVE-2022-32532 [CVE] [CVE json] [OSV json]
Last updated: 2022-06-28T23:13:16.050Z
Affected
- Apache Shiro at Before 1.9.1
Description
Apache Shiro before 1.9.1, A RegexRequestMatcher can be misconfigured to be bypassed on some servlet containers. Applications using RegExPatternMatcher with . in the regular expression are possibly vulnerable to an authorization bypass.
References
Credits
- Apache Shiro would like the thank 4ra1n for reporting this issue.
Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass
CVE-2021-41303 [CVE] [CVE json] [OSV json]
Last updated: 2021-09-17T08:17:09.454Z
Affected
- Apache Shiro from Apache Shiro before 1.8.0
Description
Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass.
Users should update to Apache Shiro 1.8.0.
References
Credits
- Apache Shiro would like to thank tsug0d for reporting this issue.