Bug 2437850 (CVE-2026-23903) - CVE-2026-23903 org.apache.shiro/shiro-web: Apache Shiro: Auth bypass when accessing static files only on case-insensitive filesystems
Summary: CVE-2026-23903 org.apache.shiro/shiro-web: Apache Shiro: Auth bypass when acc...
Keywords:
Status: NEW
Alias: CVE-2026-23903
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-02-09 11:09 UTC by OSIDB Bzimport
Modified: 2026-02-18 08:27 UTC (History)
26 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-02-09 11:09:49 UTC 
Authentication Bypass by Alternate Name vulnerability in Apache Shiro.

This issue affects Apache Shiro: before 2.0.7.

Users are recommended to upgrade to version 2.0.7, which fixes the issue.

The issue only effects static files. If static files are served from a case-insensitive filesystem,
such as default macOS setup, static files may be accessed by varying the case of the filename in the request.
If only lower-case (common default) filters are present in Shiro, they may be bypassed this way.

Shiro 2.0.7 and later has a new parameters to remediate this issue
shiro.ini: filterChainResolver.caseInsensitive = true
application.propertie: shiro.caseInsensitive=true

Shiro 3.0.0 and later (upcoming) makes this the default.
Note You need to log in before you can comment on or make changes to this bug.