{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23903", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2026-01-19T01:14:40.103Z", "datePublished": "2026-02-09T09:26:21.772Z", "dateUpdated": "2026-02-09T16:17:43.204Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://repo.maven.apache.org/maven2", "defaultStatus": "unaffected", "packageName": "org.apache.shiro:shiro-web", "product": "Apache Shiro", "vendor": "Apache Software Foundation", "versions": [{"lessThan": "2.0.7", "status": "affected", "version": "0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jesse Yang"}, {"lang": "en", "type": "remediation developer", "value": "Lenny Pimak"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Authentication Bypass by Alternate Name vulnerability in Apache Shiro.</p><p>This issue affects Apache Shiro: before 2.0.7.</p><p>Users are recommended to upgrade to version 2.0.7, which fixes the issue.</p>The issue only effects static files. If static files are served from a case-insensitive filesystem,<br>such as default macOS setup, static files may be accessed by varying the case of the filename in the request.<br>If only lower-case (common default) filters are present in Shiro, they may be bypassed this way.<br><br>Shiro 2.0.7 and later has a new parameters to remediate this issue<br>shiro.ini: <span style=\"background-color: rgba(129, 139, 152, 0.12);\">filterChainResolver.caseInsensitive = true<br></span>application.propertie: shiro<span style=\"background-color: rgba(129, 139, 152, 0.12);\">.caseInsensitive=true<br></span><br>Shiro 3.0.0 and later (upcoming) makes this the default."}], "value": "Authentication Bypass by Alternate Name vulnerability in Apache Shiro.\n\nThis issue affects Apache Shiro: before 2.0.7.\n\nUsers are recommended to upgrade to version 2.0.7, which fixes the issue.\n\nThe issue only effects static files. If static files are served from a case-insensitive filesystem,\nsuch as default macOS setup, static files may be accessed by varying the case of the filename in the request.\nIf only lower-case (common default) filters are present in Shiro, they may be bypassed this way.\n\nShiro 2.0.7 and later has a new parameters to remediate this issue\nshiro.ini: filterChainResolver.caseInsensitive = true\napplication.propertie: shiro.caseInsensitive=true\n\nShiro 3.0.0 and later (upcoming) makes this the default."}], "metrics": [{"other": {"content": {"text": "low"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-289", "description": "CWE-289 Authentication Bypass by Alternate Name", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-02-09T09:26:21.772Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/5jjf0hnjcol58z2m5y255c7scz1lnp8k"}], "source": {"discovery": "EXTERNAL"}, "title": "Apache Shiro: Auth bypass when accessing static files only on case-insensitive filesystems", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/02/08/1"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-02-09T10:25:43.212Z"}}, {"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-02-09T16:17:20.608697Z", "id": "CVE-2026-23903", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-09T16:17:43.204Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/02/08/1"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-02-09T10:25:43.212Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-23903", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-09T16:17:20.608697Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-09T16:16:07.848Z"}}], "cna": {"title": "Apache Shiro: Auth bypass when accessing static files only on case-insensitive filesystems", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Jesse Yang"}, {"lang": "en", "type": "remediation developer", "value": "Lenny Pimak"}], "metrics": [{"other": {"type": "Textual description of severity", "content": {"text": "low"}}}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache Shiro", "versions": [{"status": "affected", "version": "0", "lessThan": "2.0.7", "versionType": "semver"}], "packageName": "org.apache.shiro:shiro-web", "collectionURL": "https://repo.maven.apache.org/maven2", "defaultStatus": "unaffected"}], "references": [{"url": "https://lists.apache.org/thread/5jjf0hnjcol58z2m5y255c7scz1lnp8k", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Authentication Bypass by Alternate Name vulnerability in Apache Shiro.\n\nThis issue affects Apache Shiro: before 2.0.7.\n\nUsers are recommended to upgrade to version 2.0.7, which fixes the issue.\n\nThe issue only effects static files. If static files are served from a case-insensitive filesystem,\nsuch as default macOS setup, static files may be accessed by varying the case of the filename in the request.\nIf only lower-case (common default) filters are present in Shiro, they may be bypassed this way.\n\nShiro 2.0.7 and later has a new parameters to remediate this issue\nshiro.ini: filterChainResolver.caseInsensitive = true\napplication.propertie: shiro.caseInsensitive=true\n\nShiro 3.0.0 and later (upcoming) makes this the default.", "supportingMedia": [{"type": "text/html", "value": "<p>Authentication Bypass by Alternate Name vulnerability in Apache Shiro.</p><p>This issue affects Apache Shiro: before 2.0.7.</p><p>Users are recommended to upgrade to version 2.0.7, which fixes the issue.</p>The issue only effects static files. If static files are served from a case-insensitive filesystem,<br>such as default macOS setup, static files may be accessed by varying the case of the filename in the request.<br>If only lower-case (common default) filters are present in Shiro, they may be bypassed this way.<br><br>Shiro 2.0.7 and later has a new parameters to remediate this issue<br>shiro.ini: <span style=\"background-color: rgba(129, 139, 152, 0.12);\">filterChainResolver.caseInsensitive = true<br></span>application.propertie: shiro<span style=\"background-color: rgba(129, 139, 152, 0.12);\">.caseInsensitive=true<br></span><br>Shiro 3.0.0 and later (upcoming) makes this the default.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-289", "description": "CWE-289 Authentication Bypass by Alternate Name"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-02-09T09:26:21.772Z"}}}, "cveMetadata": {"cveId": "CVE-2026-23903", "state": "PUBLISHED", "dateUpdated": "2026-02-09T16:17:43.204Z", "dateReserved": "2026-01-19T01:14:40.103Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2026-02-09T09:26:21.772Z", "assignerShortName": "apache"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:shiro:*:*:*:*:*:*:*:*", "matchCriteriaId": "9E1B2B45-F100-4693-9F70-FE8D342853A3", "versionEndExcluding": "2.0.7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Authentication Bypass by Alternate Name vulnerability in Apache Shiro.\n\nThis issue affects Apache Shiro: before 2.0.7.\n\nUsers are recommended to upgrade to version 2.0.7, which fixes the issue.\n\nThe issue only effects static files. If static files are served from a case-insensitive filesystem,\nsuch as default macOS setup, static files may be accessed by varying the case of the filename in the request.\nIf only lower-case (common default) filters are present in Shiro, they may be bypassed this way.\n\nShiro 2.0.7 and later has a new parameters to remediate this issue\nshiro.ini: filterChainResolver.caseInsensitive = true\napplication.propertie: shiro.caseInsensitive=true\n\nShiro 3.0.0 and later (upcoming) makes this the default."}], "id": "CVE-2026-23903", "lastModified": "2026-02-11T18:30:59.070", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-09T10:15:57.520", "references": [{"source": "security@apache.org", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread/5jjf0hnjcol58z2m5y255c7scz1lnp8k"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2026/02/08/1"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-289"}], "source": "security@apache.org", "type": "Secondary"}]}

{"bugzilla": {"description": "org.apache.shiro/shiro-web: Apache Shiro: Auth bypass when accessing static files only on case-insensitive filesystems", "id": "2437850", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2437850"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "status": "draft"}, "cwe": "CWE-289", "details": ["No description is available for this CVE."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-23903", "package_state": [{"cpe": "cpe:/a:redhat:camel_spring_boot:4", "fix_state": "Fix deferred", "package_name": "shiro-web", "product_name": "Red Hat build of Apache Camel for Spring Boot 4"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Fix deferred", "package_name": "shiro-web", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Fix deferred", "package_name": "shiro-web", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Fix deferred", "package_name": "shiro-web", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}], "public_date": "2026-02-09T09:26:21Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23903\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23903\nhttp://www.openwall.com/lists/oss-security/2026/02/08/1\nhttps://lists.apache.org/thread/5jjf0hnjcol58z2m5y255c7scz1lnp8k"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.0.7)"}}], "product": "shiro", "vendor": "apache"}], "analysis": {"en": {"generated_at": "2026-04-18T18:17:04.933542+00:00", "value": {"mitigation_remediation": ["Upgrade Apache Shiro to version 2.0.7 or later", "If upgrade is not immediately possible, enable case\u2011insensitive filter resolution by setting filterChainResolver.caseInsensitive=true in shiro.ini or shiro.caseInsensitive=true in application.properties", "As a temporary safeguard, configure the application to serve static files only from lower\u2011case filenames or restrict static file access to authenticated users, ensuring that case\u2011based bypass is mitigated"], "summary": {"action": "Patch", "impact": "Authentication Bypass for static file access"}, "threat_synthesis": {"affected_systems": "All releases of Apache Shiro prior to 2.0.7 are affected. The issue is addressed in 2.0.7, which introduces a new parameter in shiro.ini or application.properties that enables case\u2011insensitive filter resolution when true. Future versions 3.0.0 and later make this behaviour the default.", "description_and_impact": "The vulnerability allows an attacker to bypass authentication filters when accessing static files served from a case\u2011insensitive filesystem, such as the default macOS setup. If the application delivers static content and the filesystem treats uppercase and lowercase file names as equivalent, an attacker can change the case of the file name in the HTTP request to circumvent the configured filters that only detect lower\u2011case names. This leads to unauthorized access to protected static resources rather than the entire application, but it still allows leakage of potentially sensitive data.", "risk_and_exploitability": "The CVSS score of 5.3 indicates moderate severity, while the EPSS score of less than 1% suggests very low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw remotely via HTTP requests by altering the case of a static file name; no special privileges or local access are required. Given the moderate score but low likelihood of exploitation, the overall risk remains moderate, but patching is recommended to eliminate the possibility of unauthorized static content exposure."}}}}, "created": "2026-02-10T12:23:44.729943+00:00", "updated": "2026-04-18T18:30:07.273388+00:00", "vendors": ["apache", "apache$PRODUCT$shiro"]}