CVE-2026-23903

CWE-2898 documents7 sources

Severity

5.3MEDIUM

EPSS

0.1%

top 73.20%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Shiro Apache Shiro

Timeline

PublishedFeb 9

Description

Authentication Bypass by Alternate Name vulnerability in Apache Shiro. This issue affects Apache Shiro: before 2.0.7. Users are recommended to upgrade to version 2.0.7, which fixes the issue. The issue only effects static files. If static files are served from a case-insensitive filesystem, such as default macOS setup, static files may be accessed by varying the case of the filename in the request. If only lower-case (common default) filters are present in Shiro, they may be bypassed this way…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages3 packages

▶NVDapache/shiro< 2.0.7

▶Mavenorg.apache.shiro:shiro-spring< 2.1.0

▶CVEListV5apache_software_foundation/apache_shiro< 2.0.7

🔴Vulnerability Details

OSV

Apache Shiro has an Authentication Bypass↗2026-02-09

▶

GHSA

Apache Shiro has an Authentication Bypass↗2026-02-09

▶

OSV

CVE-2026-23903: Authentication Bypass by Alternate Name vulnerability in Apache Shiro↗2026-02-09

▶

CVEList

Apache Shiro: Auth bypass when accessing static files only on case-insensitive filesystems↗2026-02-09

▶

📋Vendor Advisories

Red Hat

org.apache.shiro/shiro-web: Apache Shiro: Auth bypass when accessing static files only on case-insensitive filesystems↗2026-02-09

▶

Debian

CVE-2026-23903: shiro - Authentication Bypass by Alternate Name vulnerability in Apache Shiro. This iss...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-23903 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶