Apache Shiro vulnerabilities

CVE-2026-43827 [MEDIUM] CWE-384 CVE-2026-43827: Default configurations of Apache Shiro have a session fixation vulnerability. This issue affects Ap Default configurations of Apache Shiro have a session fixation vulnerability. This issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1. Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue. In the affected versions, when a session already exists, it is not invalidated upon successful logi

CVE-2026-44598 [MEDIUM] CWE-601 CVE-2026-44598: With valid login credentials, URL Redirection to Untrusted Site ('Open Redirect'), Server-Side Reque With valid login credentials, URL Redirection to Untrusted Site ('Open Redirect'), Server-Side Request Forgery (SSRF) vulnerability in Apache Shiro. This issue affects Apache Shiro from 2.0-alpha to 2.1.0, and 3.0.0-alpha-1, only when using shiro-jakarta-ee integration module. Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or

CVE-2026-43828 [MEDIUM] CWE-614 CVE-2026-43828: Default configurations of Apache Shiro send sensitive cookies in HTTPS session without 'Secure' attr Default configurations of Apache Shiro send sensitive cookies in HTTPS session without 'Secure' attribute. This issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1. Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue. In the affected versions, Shiro-native session manager, as well as Re

CVE-2026-48589 [NONE] CWE-601 CVE-2026-48589: Apache Shiro’s Jakarta EE module used the HTTP Referer header in certain cases to issue redirect aft Apache Shiro’s Jakarta EE module used the HTTP Referer header in certain cases to issue redirect after a user login. In affected versions, insufficient validation of this client-controlled value could allow an attacker to influence the redirect target in applications using the Jakarta EE module. This issue affects Apache Shiro from 2.0-alpha to 2.2.0,

CVE-2026-23901 [LOW] CWE-208 CVE-2026-23901: Observable Timing Discrepancy vulnerability in Apache Shiro. This issue affects Apache Shiro: from Observable Timing Discrepancy vulnerability in Apache Shiro. This issue affects Apache Shiro: from 1.*, 2.* before 2.0.7. Users are recommended to upgrade to version 2.0.7 or later, which fixes the issue. Prior to Shiro 2.0.7, code paths for non-existent vs. existing users are different enough, that a brute-force attack may be able to tell, by timing

CVE-2026-23903 [MEDIUM] CWE-289 CVE-2026-23903: Authentication Bypass by Alternate Name vulnerability in Apache Shiro. This issue affects Apache Sh Authentication Bypass by Alternate Name vulnerability in Apache Shiro. This issue affects Apache Shiro: before 2.0.7. Users are recommended to upgrade to version 2.0.7, which fixes the issue. The issue only effects static files. If static files are served from a case-insensitive filesystem, such as default macOS setup, static files may be accesse

CVE-2023-46749 [MEDIUM] CWE-22 CVE-2023-46749: Apache Shiro before 1.13.0 or 2.0.0-alpha-4, may be susceptible to a path traversal attack that resu Apache Shiro before 1.13.0 or 2.0.0-alpha-4, may be susceptible to a path traversal attack that results in an authentication bypass when used together with path rewriting Mitigation: Update to Apache Shiro 1.13.0+ or 2.0.0-alpha-4+, or ensure `blockSemicolon` is enabled (this is the default).

CVE-2023-46750 [MEDIUM] CWE-601 CVE-2023-46750: URL Redirection to Untrusted Site ('Open Redirect') vulnerability when "form" authentication is used URL Redirection to Untrusted Site ('Open Redirect') vulnerability when "form" authentication is used in Apache Shiro. Mitigation: Update to Apache Shiro 1.13.0+ or 2.0.0-alpha-4+.

CVE-2023-34478 [CRITICAL] CWE-22 CVE-2023-34478: Apache Shiro, before 1.12.0 or 2.0.0-alpha-3, may be susceptible to a path traversal attack that res Apache Shiro, before 1.12.0 or 2.0.0-alpha-3, may be susceptible to a path traversal attack that results in an authentication bypass when used together with APIs or other web frameworks that route requests based on non-normalized requests. Mitigation: Update to Apache Shiro 1.12.0+ or 2.0.0-alpha-3+

CVE-2023-22602 [HIGH] CWE-436 CVE-2023-22602: When using Apache Shiro before 1.11.0 together with Spring Boot 2.6+, a specially crafted HTTP reque When using Apache Shiro before 1.11.0 together with Spring Boot 2.6+, a specially crafted HTTP request may cause an authentication bypass. The authentication bypass occurs when Shiro and Spring Boot are using different pattern-matching techniques. Both Shiro and Spring Boot < 2.6 default to Ant style pattern matching. Mitigation: Update to Apache Shi

CVE-2022-40664 [CRITICAL] CWE-287 CVE-2022-40664: Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shiro when forwarding or includin Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher.

CVE-2022-32532 [CRITICAL] CWE-863 CVE-2022-32532: Apache Shiro before 1.9.1, A RegexRequestMatcher can be misconfigured to be bypassed on some servlet Apache Shiro before 1.9.1, A RegexRequestMatcher can be misconfigured to be bypassed on some servlet containers. Applications using RegExPatternMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass.

CVE-2021-41303 [CRITICAL] CWE-287 CVE-2021-41303: Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP reques Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass. Users should update to Apache Shiro 1.8.0.

CVE-2020-17523 [CRITICAL] CWE-287 CVE-2020-17523: Apache Shiro before 1.7.1, when using Apache Shiro with Spring, a specially crafted HTTP request may Apache Shiro before 1.7.1, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass.

CVE-2020-17510 [CRITICAL] CWE-287 CVE-2020-17510: Apache Shiro before 1.7.0, when using Apache Shiro with Spring, a specially crafted HTTP request may Apache Shiro before 1.7.0, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass.

CVE-2020-13933 [HIGH] CVE-2020-13933: Apache Shiro before 1.6.0, when using Apache Shiro, a specially crafted HTTP request may cause an au Apache Shiro before 1.6.0, when using Apache Shiro, a specially crafted HTTP request may cause an authentication bypass.

CVE-2020-11989 [CRITICAL] CVE-2020-11989: Apache Shiro before 1.5.3, when using Apache Shiro with Spring dynamic controllers, a specially craf Apache Shiro before 1.5.3, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.

CVE-2020-1957 [CRITICAL] CVE-2020-1957: Apache Shiro before 1.5.2, when using Apache Shiro with Spring dynamic controllers, a specially craf Apache Shiro before 1.5.2, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.

CVE-2019-12422 [HIGH] CVE-2019-12422: Apache Shiro before 1.4.2, when using the default "remember me" configuration, cookies could be susc Apache Shiro before 1.4.2, when using the default "remember me" configuration, cookies could be susceptible to a padding attack.

CVE-2016-6802 [HIGH] CWE-284 CVE-2016-6802: Apache Shiro before 1.3.2 allows attackers to bypass intended servlet filters and gain access by lev Apache Shiro before 1.3.2 allows attackers to bypass intended servlet filters and gain access by leveraging use of a non-root servlet context path.