CVE-2026-23901

CVE-2026-23901 is a low-severity vulnerability in Apache Shiro with a CVSS 3.x base score of 2.5. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-208.

Key facts

Description

Observable Timing Discrepancy vulnerability in Apache Shiro. This issue affects Apache Shiro: from 1.*, 2.* before 2.0.7. Users are recommended to upgrade to version 2.0.7 or later, which fixes the issue. Prior to Shiro 2.0.7, code paths for non-existent vs. existing users are different enough, that a brute-force attack may be able to tell, by timing the requests only, determine if the request failed because of a non-existent user vs. wrong password. The most likely attack vector is a local attack only. Shiro security model  https://shiro.apache.org/security-model.html#username_enumeration  discusses this as well. Typically, brute force attack can be mitigated at the infrastructure level.

Frequently asked questions

What is CVE-2026-23901?
Observable Timing Discrepancy vulnerability in Apache Shiro. This issue affects Apache Shiro: from 1.*, 2.* before 2.0.7. Users are recommended to upgrade to version 2.0.7 or later, which fixes the issue. Prior to Shiro 2.0.7, code paths for non-existent vs. existing users are different enough, that a brute-force attack may be able to tell, by timing the requests only, determine if the request failed because of a non-existent user vs. wrong password. The most likely attack vector is a local attack only. Shiro security model  https://shiro.apache.org/security-model.html#username_enumeration  discusses this as well. Typically, brute force attack can be mitigated at the infrastructure level.
How severe is CVE-2026-23901?
CVE-2026-23901 has a CVSS 3.x base score of 2.5, rated low severity. It is exploitable over local access with high attack complexity, requires low privileges and no user interaction. Impact on confidentiality is low, integrity none, and availability none.
Is CVE-2026-23901 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (12th percentile), an estimate of the probability of exploitation in the next 30 days.
What products are affected by CVE-2026-23901?
CVE-2026-23901 affects Apache Shiro. See the affected-products list for the exact vulnerable versions.
How do I fix CVE-2026-23901?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
Does CVE-2026-23901 have an EU (EUVD) identifier?
Yes. CVE-2026-23901 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-6879.
When was CVE-2026-23901 published?
CVE-2026-23901 was published on 2026-02-10 and last updated on 2026-06-17.

References

Affected products (1)

More vulnerabilities in Apache Shiro

All CVEs affecting Apache Shiro →

Other CWE-208 vulnerabilities

Browse all CWE-208 vulnerabilities →