Apache Shiro vulnerabilities
19 known vulnerabilities affecting apache/shiro.
Total CVEs
19
CISA KEV
1
actively exploited
Public exploits
2
Exploited in wild
1
Severity breakdown
CRITICAL9HIGH5MEDIUM4LOW1
Vulnerabilities
Page 1 of 1
CVE-2026-23901LOWCVSS 1.0fixed in 2.0.72026-02-10
CVE-2026-23901 [LOW] CWE-208 CVE-2026-23901: Observable Timing Discrepancy vulnerability in Apache Shiro.
This issue affects Apache Shiro: from
Observable Timing Discrepancy vulnerability in Apache Shiro.
This issue affects Apache Shiro: from 1.*, 2.* before 2.0.7.
Users are recommended to upgrade to version 2.0.7 or later, which fixes the issue.
Prior to Shiro 2.0.7, code paths for non-existent vs. existing users are different enough,
that a brute-force attack may be able to tell, by timing
nvd
CVE-2026-23903MEDIUMCVSS 5.3fixed in 2.0.72026-02-09
CVE-2026-23903 [MEDIUM] CWE-289 CVE-2026-23903: Authentication Bypass by Alternate Name vulnerability in Apache Shiro.
This issue affects Apache Sh
Authentication Bypass by Alternate Name vulnerability in Apache Shiro.
This issue affects Apache Shiro: before 2.0.7.
Users are recommended to upgrade to version 2.0.7, which fixes the issue.
The issue only effects static files. If static files are served from a case-insensitive filesystem,
such as default macOS setup, static files may be accesse
nvd
CVE-2023-46749MEDIUMCVSS 6.5fixed in 1.13.0v2.0.02024-01-15
CVE-2023-46749 [MEDIUM] CWE-22 CVE-2023-46749: Apache Shiro before 1.13.0 or 2.0.0-alpha-4, may be susceptible to a path traversal attack that resu
Apache Shiro before 1.13.0 or 2.0.0-alpha-4, may be susceptible to a path traversal attack that results in an authentication bypass when used together with path rewriting
Mitigation: Update to Apache Shiro 1.13.0+ or 2.0.0-alpha-4+, or ensure `blockSemicolon` is enabled (this is the default).
nvd
CVE-2023-46750MEDIUMCVSS 6.1fixed in 1.13.0v2.0.02023-12-14
CVE-2023-46750 [MEDIUM] CWE-601 CVE-2023-46750: URL Redirection to Untrusted Site ('Open Redirect') vulnerability when "form" authentication is used
URL Redirection to Untrusted Site ('Open Redirect') vulnerability when "form" authentication is used in Apache Shiro.
Mitigation: Update to Apache Shiro 1.13.0+ or 2.0.0-alpha-4+.
nvd
CVE-2023-34478CRITICALCVSS 9.8fixed in 1.12.0v2.0.02023-07-24
CVE-2023-34478 [CRITICAL] CWE-22 CVE-2023-34478: Apache Shiro, before 1.12.0 or 2.0.0-alpha-3, may be susceptible to a path traversal attack that res
Apache Shiro, before 1.12.0 or 2.0.0-alpha-3, may be susceptible to a path traversal attack that results in an authentication bypass when used together with APIs or other web frameworks that route requests based on non-normalized requests.
Mitigation: Update to Apache Shiro 1.12.0+ or 2.0.0-alpha-3+
nvd
CVE-2023-22602HIGHCVSS 7.5fixed in 1.11.02023-01-14
CVE-2023-22602 [HIGH] CWE-436 CVE-2023-22602: When using Apache Shiro before 1.11.0 together with Spring Boot 2.6+, a specially crafted HTTP reque
When using Apache Shiro before 1.11.0 together with Spring Boot 2.6+, a specially crafted HTTP request may cause an authentication bypass.
The authentication bypass occurs when Shiro and Spring Boot are using different pattern-matching techniques. Both Shiro and Spring Boot < 2.6 default to Ant style pattern matching.
Mitigation: Update to Apache Shi
nvd
CVE-2022-40664CRITICALCVSS 9.8fixed in 1.10.02022-10-12
CVE-2022-40664 [CRITICAL] CWE-287 CVE-2022-40664: Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shiro when forwarding or includin
Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher.
nvd
CVE-2022-32532CRITICALCVSS 9.8fixed in 1.9.12022-06-29
CVE-2022-32532 [CRITICAL] CWE-863 CVE-2022-32532: Apache Shiro before 1.9.1, A RegexRequestMatcher can be misconfigured to be bypassed on some servlet
Apache Shiro before 1.9.1, A RegexRequestMatcher can be misconfigured to be bypassed on some servlet containers. Applications using RegExPatternMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass.
nvd
CVE-2021-41303CRITICALCVSS 9.8fixed in 1.8.02021-09-17
CVE-2021-41303 [CRITICAL] CWE-287 CVE-2021-41303: Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP reques
Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass. Users should update to Apache Shiro 1.8.0.
nvd
CVE-2020-17523CRITICALCVSS 9.8fixed in 1.7.12021-02-03
CVE-2020-17523 [CRITICAL] CWE-287 CVE-2020-17523: Apache Shiro before 1.7.1, when using Apache Shiro with Spring, a specially crafted HTTP request may
Apache Shiro before 1.7.1, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass.
nvd
CVE-2020-17510CRITICALCVSS 9.8fixed in 1.7.02020-11-05
CVE-2020-17510 [CRITICAL] CWE-287 CVE-2020-17510: Apache Shiro before 1.7.0, when using Apache Shiro with Spring, a specially crafted HTTP request may
Apache Shiro before 1.7.0, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass.
nvd
CVE-2020-13933HIGHCVSS 7.5fixed in 1.6.02020-08-17
CVE-2020-13933 [HIGH] CVE-2020-13933: Apache Shiro before 1.6.0, when using Apache Shiro, a specially crafted HTTP request may cause an au
Apache Shiro before 1.6.0, when using Apache Shiro, a specially crafted HTTP request may cause an authentication bypass.
nvd
CVE-2020-11989CRITICALCVSS 9.8fixed in 1.5.32020-06-22
CVE-2020-11989 [CRITICAL] CVE-2020-11989: Apache Shiro before 1.5.3, when using Apache Shiro with Spring dynamic controllers, a specially craf
Apache Shiro before 1.5.3, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.
nvd
CVE-2020-1957CRITICALCVSS 9.8fixed in 1.5.22020-03-25
CVE-2020-1957 [CRITICAL] CVE-2020-1957: Apache Shiro before 1.5.2, when using Apache Shiro with Spring dynamic controllers, a specially craf
Apache Shiro before 1.5.2, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.
nvd
CVE-2019-12422HIGHCVSS 7.5fixed in 1.4.2vto 1.4.12019-11-18
CVE-2019-12422 [HIGH] CVE-2019-12422: Apache Shiro before 1.4.2, when using the default "remember me" configuration, cookies could be susc
Apache Shiro before 1.4.2, when using the default "remember me" configuration, cookies could be susceptible to a padding attack.
cvelistv5nvd
CVE-2016-6802HIGHCVSS 7.5v1.3.12016-09-20
CVE-2016-6802 [HIGH] CWE-284 CVE-2016-6802: Apache Shiro before 1.3.2 allows attackers to bypass intended servlet filters and gain access by lev
Apache Shiro before 1.3.2 allows attackers to bypass intended servlet filters and gain access by leveraging use of a non-root servlet context path.
nvd
CVE-2016-4437CRITICALCVSS 9.8KEVPoCfixed in 1.2.52016-06-07
CVE-2016-4437 [CRITICAL] CWE-321 CVE-2016-4437: Apache Shiro before 1.2.5, when a cipher key has not been configured for the "remember me" feature,
Apache Shiro before 1.2.5, when a cipher key has not been configured for the "remember me" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter.
nvd
CVE-2014-0074HIGHCVSS 7.5v1.0.0v1.1.0+3 more2014-10-06
CVE-2014-0074 [HIGH] CWE-287 CVE-2014-0074: Apache Shiro 1.x before 1.2.3, when using an LDAP server with unauthenticated bind enabled, allows r
Apache Shiro 1.x before 1.2.3, when using an LDAP server with unauthenticated bind enabled, allows remote attackers to bypass authentication via an empty (1) username or (2) password.
nvd
CVE-2010-3863MEDIUMCVSS 5.0PoC≤ 1.0.02010-11-05
CVE-2010-3863 [MEDIUM] CWE-22 CVE-2010-3863: Apache Shiro before 1.1.0, and JSecurity 0.9.x, does not canonicalize URI paths before comparing the
Apache Shiro before 1.1.0, and JSecurity 0.9.x, does not canonicalize URI paths before comparing them to entries in the shiro.ini file, which allows remote attackers to bypass intended access restrictions via a crafted request, as demonstrated by the /./account/index.jsp URI.
nvd