{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23903", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2026-01-19T01:14:40.103Z", "datePublished": "2026-02-09T09:26:21.772Z", "dateUpdated": "2026-02-09T16:17:43.204Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://repo.maven.apache.org/maven2", "defaultStatus": "unaffected", "packageName": "org.apache.shiro:shiro-web", "product": "Apache Shiro", "vendor": "Apache Software Foundation", "versions": [{"lessThan": "2.0.7", "status": "affected", "version": "0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jesse Yang"}, {"lang": "en", "type": "remediation developer", "value": "Lenny Pimak"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Authentication Bypass by Alternate Name vulnerability in Apache Shiro.</p><p>This issue affects Apache Shiro: before 2.0.7.</p><p>Users are recommended to upgrade to version 2.0.7, which fixes the issue.</p>The issue only effects static files. If static files are served from a case-insensitive filesystem,<br>such as default macOS setup, static files may be accessed by varying the case of the filename in the request.<br>If only lower-case (common default) filters are present in Shiro, they may be bypassed this way.<br><br>Shiro 2.0.7 and later has a new parameters to remediate this issue<br>shiro.ini: <span style=\"background-color: rgba(129, 139, 152, 0.12);\">filterChainResolver.caseInsensitive = true<br></span>application.propertie: shiro<span style=\"background-color: rgba(129, 139, 152, 0.12);\">.caseInsensitive=true<br></span><br>Shiro 3.0.0 and later (upcoming) makes this the default."}], "value": "Authentication Bypass by Alternate Name vulnerability in Apache Shiro.\n\nThis issue affects Apache Shiro: before 2.0.7.\n\nUsers are recommended to upgrade to version 2.0.7, which fixes the issue.\n\nThe issue only effects static files. If static files are served from a case-insensitive filesystem,\nsuch as default macOS setup, static files may be accessed by varying the case of the filename in the request.\nIf only lower-case (common default) filters are present in Shiro, they may be bypassed this way.\n\nShiro 2.0.7 and later has a new parameters to remediate this issue\nshiro.ini: filterChainResolver.caseInsensitive = true\napplication.propertie: shiro.caseInsensitive=true\n\nShiro 3.0.0 and later (upcoming) makes this the default."}], "metrics": [{"other": {"content": {"text": "low"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-289", "description": "CWE-289 Authentication Bypass by Alternate Name", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-02-09T09:26:21.772Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/5jjf0hnjcol58z2m5y255c7scz1lnp8k"}], "source": {"discovery": "EXTERNAL"}, "title": "Apache Shiro: Auth bypass when accessing static files only on case-insensitive filesystems", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/02/08/1"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-02-09T10:25:43.212Z"}}, {"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-02-09T16:17:20.608697Z", "id": "CVE-2026-23903", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-09T16:17:43.204Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/02/08/1"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-02-09T10:25:43.212Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-23903", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-09T16:17:20.608697Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-09T16:16:07.848Z"}}], "cna": {"title": "Apache Shiro: Auth bypass when accessing static files only on case-insensitive filesystems", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Jesse Yang"}, {"lang": "en", "type": "remediation developer", "value": "Lenny Pimak"}], "metrics": [{"other": {"type": "Textual description of severity", "content": {"text": "low"}}}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache Shiro", "versions": [{"status": "affected", "version": "0", "lessThan": "2.0.7", "versionType": "semver"}], "packageName": "org.apache.shiro:shiro-web", "collectionURL": "https://repo.maven.apache.org/maven2", "defaultStatus": "unaffected"}], "references": [{"url": "https://lists.apache.org/thread/5jjf0hnjcol58z2m5y255c7scz1lnp8k", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Authentication Bypass by Alternate Name vulnerability in Apache Shiro.\n\nThis issue affects Apache Shiro: before 2.0.7.\n\nUsers are recommended to upgrade to version 2.0.7, which fixes the issue.\n\nThe issue only effects static files. If static files are served from a case-insensitive filesystem,\nsuch as default macOS setup, static files may be accessed by varying the case of the filename in the request.\nIf only lower-case (common default) filters are present in Shiro, they may be bypassed this way.\n\nShiro 2.0.7 and later has a new parameters to remediate this issue\nshiro.ini: filterChainResolver.caseInsensitive = true\napplication.propertie: shiro.caseInsensitive=true\n\nShiro 3.0.0 and later (upcoming) makes this the default.", "supportingMedia": [{"type": "text/html", "value": "<p>Authentication Bypass by Alternate Name vulnerability in Apache Shiro.</p><p>This issue affects Apache Shiro: before 2.0.7.</p><p>Users are recommended to upgrade to version 2.0.7, which fixes the issue.</p>The issue only effects static files. If static files are served from a case-insensitive filesystem,<br>such as default macOS setup, static files may be accessed by varying the case of the filename in the request.<br>If only lower-case (common default) filters are present in Shiro, they may be bypassed this way.<br><br>Shiro 2.0.7 and later has a new parameters to remediate this issue<br>shiro.ini: <span style=\"background-color: rgba(129, 139, 152, 0.12);\">filterChainResolver.caseInsensitive = true<br></span>application.propertie: shiro<span style=\"background-color: rgba(129, 139, 152, 0.12);\">.caseInsensitive=true<br></span><br>Shiro 3.0.0 and later (upcoming) makes this the default.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-289", "description": "CWE-289 Authentication Bypass by Alternate Name"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-02-09T09:26:21.772Z"}}}, "cveMetadata": {"cveId": "CVE-2026-23903", "state": "PUBLISHED", "dateUpdated": "2026-02-09T16:17:43.204Z", "dateReserved": "2026-01-19T01:14:40.103Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2026-02-09T09:26:21.772Z", "assignerShortName": "apache"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:shiro:*:*:*:*:*:*:*:*", "matchCriteriaId": "9E1B2B45-F100-4693-9F70-FE8D342853A3", "versionEndExcluding": "2.0.7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Authentication Bypass by Alternate Name vulnerability in Apache Shiro.\n\nThis issue affects Apache Shiro: before 2.0.7.\n\nUsers are recommended to upgrade to version 2.0.7, which fixes the issue.\n\nThe issue only effects static files. If static files are served from a case-insensitive filesystem,\nsuch as default macOS setup, static files may be accessed by varying the case of the filename in the request.\nIf only lower-case (common default) filters are present in Shiro, they may be bypassed this way.\n\nShiro 2.0.7 and later has a new parameters to remediate this issue\nshiro.ini: filterChainResolver.caseInsensitive = true\napplication.propertie: shiro.caseInsensitive=true\n\nShiro 3.0.0 and later (upcoming) makes this the default."}], "id": "CVE-2026-23903", "lastModified": "2026-02-11T18:30:59.070", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-09T10:15:57.520", "references": [{"source": "security@apache.org", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread/5jjf0hnjcol58z2m5y255c7scz1lnp8k"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2026/02/08/1"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-289"}], "source": "security@apache.org", "type": "Secondary"}]}

{"bugzilla": {"description": "org.apache.shiro/shiro-web: Apache Shiro: Auth bypass when accessing static files only on case-insensitive filesystems", "id": "2437850", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2437850"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "status": "draft"}, "cwe": "CWE-289", "details": ["No description is available for this CVE."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-23903", "package_state": [{"cpe": "cpe:/a:redhat:camel_spring_boot:4", "fix_state": "Fix deferred", "package_name": "shiro-web", "product_name": "Red Hat build of Apache Camel for Spring Boot 4"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Fix deferred", "package_name": "shiro-web", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Fix deferred", "package_name": "shiro-web", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Fix deferred", "package_name": "shiro-web", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}], "public_date": "2026-02-09T09:26:21Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23903\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23903\nhttp://www.openwall.com/lists/oss-security/2026/02/08/1\nhttps://lists.apache.org/thread/5jjf0hnjcol58z2m5y255c7scz1lnp8k"], "threat_severity": "Moderate"}