CVE-2026-23901Observable Timing Discrepancy in Software Foundation Apache Shiro

CWE-208Observable Timing Discrepancy8 documents7 sources
Severity
1.0LOWNVD
EPSS
0.0%
top 99.33%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache Software Foundation Apache ShiroApache Shiro
Timeline
PublishedFeb 10

Description

Observable Timing Discrepancy vulnerability in Apache Shiro. This issue affects Apache Shiro: from 1.*, 2.* before 2.0.7. Users are recommended to upgrade to version 2.0.7 or later, which fixes the issue. Prior to Shiro 2.0.7, code paths for non-existent vs. existing users are different enough, that a brute-force attack may be able to tell, by timing the requests only, determine if the request failed because of a non-existent user vs. wrong password. The most likely attack vector is a local

CVSS vector

CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:A/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/S:N

Affected Packages2 packages

NVDapache/shiro< 2.0.7

🔴Vulnerability Details

4
OSV
Apache Shiro Affected by an Observable Timing Discrepancy Vulnerability2026-02-10
OSV
CVE-2026-23901: Observable Timing Discrepancy vulnerability in Apache Shiro2026-02-10
CVEList
Apache Shiro: Brute force attack possible to determine valid user names2026-02-10
GHSA
Apache Shiro Affected by an Observable Timing Discrepancy Vulnerability2026-02-10

📋Vendor Advisories

2
Red Hat
org.apache.shiro/shiro-core: Apache Shiro: Brute force attack possible to determine valid user names2026-02-10
Debian
CVE-2026-23901: shiro - Observable Timing Discrepancy vulnerability in Apache Shiro. This issue affects...2026

🕵️Threat Intelligence

1
Wiz
CVE-2026-23901 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-23901 — Observable Timing Discrepancy | cvebase