{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23901", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2026-01-17T18:01:53.140Z", "datePublished": "2026-02-10T09:25:51.765Z", "dateUpdated": "2026-02-10T15:31:25.166Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://repo.maven.apache.org/maven2", "defaultStatus": "unaffected", "packageName": "org.apache.shiro:shiro-core", "product": "Apache Shiro", "vendor": "Apache Software Foundation", "versions": [{"lessThan": "2.0.7", "status": "affected", "version": "0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "4ra1n"}, {"lang": "en", "type": "finder", "value": "Y4tacker"}, {"lang": "en", "type": "remediation developer", "value": "lprimak"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Observable Timing Discrepancy vulnerability in Apache Shiro.</p><p>This issue affects Apache Shiro: from 1.*, 2.* before 2.0.7.</p><p>Users are recommended to upgrade to version 2.0.7 or later, which fixes the issue.</p>Prior to Shiro 2.0.7, code paths for non-existent vs. existing users are different enough,<br>that a brute-force attack may be able to tell, by timing the requests only, determine if<br>the request failed because of a non-existent user vs. wrong password.<br><br>The most likely attack vector is a local attack only.<br>Shiro security model&nbsp;<a target=\"_blank\" rel=\"nofollow\" href=\"https://shiro.apache.org/security-model.html#username_enumeration\">https://shiro.apache.org/security-model.html#username_enumeration</a>&nbsp;discusses this as well.<br><br>Typically, brute force attack can be mitigated at the infrastructure level."}], "value": "Observable Timing Discrepancy vulnerability in Apache Shiro.\n\nThis issue affects Apache Shiro: from 1.*, 2.* before 2.0.7.\n\nUsers are recommended to upgrade to version 2.0.7 or later, which fixes the issue.\n\nPrior to Shiro 2.0.7, code paths for non-existent vs. existing users are different enough,\nthat a brute-force attack may be able to tell, by timing the requests only, determine if\nthe request failed because of a non-existent user vs. wrong password.\n\nThe most likely attack vector is a local attack only.\nShiro security model\u00a0 https://shiro.apache.org/security-model.html#username_enumeration \u00a0discusses this as well.\n\nTypically, brute force attack can be mitigated at the infrastructure level."}], "metrics": [{"cvssV4_0": {"Automatable": "YES", "Recovery": "AUTOMATIC", "Safety": "NEGLIGIBLE", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "attackVector": "LOCAL", "baseScore": 1, "baseSeverity": "LOW", "privilegesRequired": "LOW", "providerUrgency": "GREEN", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "NONE", "userInteraction": "ACTIVE", "valueDensity": "CONCENTRATED", "vectorString": "CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:A/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/S:N/AU:Y/R:A/V:C/RE:L/U:Green", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "LOW"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"other": {"content": {"text": "low"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-208", "description": "CWE-208 Observable Timing Discrepancy", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-02-10T09:25:51.765Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/mm1jct9b86jvnh3y44tj22xvjtx3xhhh"}], "source": {"discovery": "UNKNOWN"}, "title": "Apache Shiro: Brute force attack possible to determine valid user names", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/02/08/2"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-02-10T10:22:44.721Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-10T15:31:09.515973Z", "id": "CVE-2026-23901", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-10T15:31:25.166Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/02/08/2"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-02-10T10:22:44.721Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-23901", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-10T15:31:09.515973Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-10T15:31:15.431Z"}}], "cna": {"title": "Apache Shiro: Brute force attack possible to determine valid user names", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "4ra1n"}, {"lang": "en", "type": "finder", "value": "Y4tacker"}, {"lang": "en", "type": "remediation developer", "value": "lprimak"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NEGLIGIBLE", "version": "4.0", "Recovery": "AUTOMATIC", "baseScore": 1, "Automatable": "YES", "attackVector": "LOCAL", "baseSeverity": "LOW", "valueDensity": "CONCENTRATED", "vectorString": "CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:A/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/S:N/AU:Y/R:A/V:C/RE:L/U:Green", "providerUrgency": "GREEN", "userInteraction": "ACTIVE", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnerabilityResponseEffort": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"other": {"type": "Textual description of severity", "content": {"text": "low"}}}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache Shiro", "versions": [{"status": "affected", "version": "0", "lessThan": "2.0.7", "versionType": "semver"}], "packageName": "org.apache.shiro:shiro-core", "collectionURL": "https://repo.maven.apache.org/maven2", "defaultStatus": "unaffected"}], "references": [{"url": "https://lists.apache.org/thread/mm1jct9b86jvnh3y44tj22xvjtx3xhhh", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Observable Timing Discrepancy vulnerability in Apache Shiro.\n\nThis issue affects Apache Shiro: from 1.*, 2.* before 2.0.7.\n\nUsers are recommended to upgrade to version 2.0.7 or later, which fixes the issue.\n\nPrior to Shiro 2.0.7, code paths for non-existent vs. existing users are different enough,\nthat a brute-force attack may be able to tell, by timing the requests only, determine if\nthe request failed because of a non-existent user vs. wrong password.\n\nThe most likely attack vector is a local attack only.\nShiro security model\u00a0 https://shiro.apache.org/security-model.html#username_enumeration \u00a0discusses this as well.\n\nTypically, brute force attack can be mitigated at the infrastructure level.", "supportingMedia": [{"type": "text/html", "value": "<p>Observable Timing Discrepancy vulnerability in Apache Shiro.</p><p>This issue affects Apache Shiro: from 1.*, 2.* before 2.0.7.</p><p>Users are recommended to upgrade to version 2.0.7 or later, which fixes the issue.</p>Prior to Shiro 2.0.7, code paths for non-existent vs. existing users are different enough,<br>that a brute-force attack may be able to tell, by timing the requests only, determine if<br>the request failed because of a non-existent user vs. wrong password.<br><br>The most likely attack vector is a local attack only.<br>Shiro security model&nbsp;<a target=\"_blank\" rel=\"nofollow\" href=\"https://shiro.apache.org/security-model.html#username_enumeration\">https://shiro.apache.org/security-model.html#username_enumeration</a>&nbsp;discusses this as well.<br><br>Typically, brute force attack can be mitigated at the infrastructure level.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-208", "description": "CWE-208 Observable Timing Discrepancy"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-02-10T09:25:51.765Z"}}}, "cveMetadata": {"cveId": "CVE-2026-23901", "state": "PUBLISHED", "dateUpdated": "2026-02-10T15:31:25.166Z", "dateReserved": "2026-01-17T18:01:53.140Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2026-02-10T09:25:51.765Z", "assignerShortName": "apache"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:shiro:*:*:*:*:*:*:*:*", "matchCriteriaId": "9E1B2B45-F100-4693-9F70-FE8D342853A3", "versionEndExcluding": "2.0.7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Observable Timing Discrepancy vulnerability in Apache Shiro.\n\nThis issue affects Apache Shiro: from 1.*, 2.* before 2.0.7.\n\nUsers are recommended to upgrade to version 2.0.7 or later, which fixes the issue.\n\nPrior to Shiro 2.0.7, code paths for non-existent vs. existing users are different enough,\nthat a brute-force attack may be able to tell, by timing the requests only, determine if\nthe request failed because of a non-existent user vs. wrong password.\n\nThe most likely attack vector is a local attack only.\nShiro security model\u00a0 https://shiro.apache.org/security-model.html#username_enumeration \u00a0discusses this as well.\n\nTypically, brute force attack can be mitigated at the infrastructure level."}], "id": "CVE-2026-23901", "lastModified": "2026-02-12T15:30:25.543", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 2.5, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "YES", "Recovery": "AUTOMATIC", "Safety": "NEGLIGIBLE", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 1.0, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "GREEN", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "NONE", "userInteraction": "ACTIVE", "valueDensity": "CONCENTRATED", "vectorString": "CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:A/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:A/V:C/RE:L/U:Green", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "LOW"}, "source": "security@apache.org", "type": "Secondary"}]}, "published": "2026-02-10T10:15:59.240", "references": [{"source": "security@apache.org", "tags": ["Issue Tracking", "Third Party Advisory", "Mailing List"], "url": "https://lists.apache.org/thread/mm1jct9b86jvnh3y44tj22xvjtx3xhhh"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2026/02/08/2"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-208"}], "source": "security@apache.org", "type": "Secondary"}]}

{"bugzilla": {"description": "org.apache.shiro/shiro-core: Apache Shiro: Brute force attack possible to determine valid user names", "id": "2438436", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2438436"}, "csaw": false, "cvss3": {"cvss3_base_score": "2.9", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "status": "draft"}, "cwe": "CWE-208", "details": ["No description is available for this CVE."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-23901", "package_state": [{"cpe": "cpe:/a:redhat:camel_spring_boot:4", "fix_state": "Fix deferred", "package_name": "shiro-core", "product_name": "Red Hat build of Apache Camel for Spring Boot 4"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Fix deferred", "package_name": "shiro-core", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Fix deferred", "package_name": "shiro-core", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Fix deferred", "package_name": "shiro-core", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Fix deferred", "package_name": "shiro-core", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}], "public_date": "2026-02-10T09:25:51Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23901\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23901\nhttps://lists.apache.org/thread/mm1jct9b86jvnh3y44tj22xvjtx3xhhh"], "threat_severity": "Low"}