CVE-2026-23903

216.73.216.233

· Published 09/02/2026 10:15 · Modified 09/02/2026 18:16

Labels: CVE-2026-23903 2026-02-09 CVE-2026-23903 CWE-289 [email protected]

Essential information

Published: 09/02/2026 10:15
Modified: 09/02/2026 18:16
Author: —
Creator: —
CVSS: 5.3 MEDIUM (v3.1)
CISA KEV: No
CWE: —
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS metrics

Description

Authentication Bypass by Alternate Name vulnerability in Apache Shiro. This issue affects Apache Shiro: before 2.0.7. Users are recommended to upgrade to version 2.0.7, which fixes the issue. The issue only effects static files. If static files are served from a case-insensitive filesystem, such as default macOS setup, static files may be accessed by varying the case of the filename in the request. If only lower-case (common default) filters are present in Shiro, they may be bypassed this way. Shiro 2.0.7 and later has a new parameters to remediate this issue shiro.ini: filterChainResolver.caseInsensitive = true application.propertie: shiro.caseInsensitive=true Shiro 3.0.0 and later (upcoming) makes this the default.

NVD status

Status: Undergoing Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source: [email protected]
NVD: View on NVD

Affected products (CPE)

Product	CPE
apache / shiro	`cpe:2.3:a:apache:shiro:<2.0.7:::::::*`