Bug 2438436 (CVE-2026-23901) - CVE-2026-23901 org.apache.shiro/shiro-core: Apache Shiro: Brute force attack possible to determine valid user names
Summary: CVE-2026-23901 org.apache.shiro/shiro-core: Apache Shiro: Brute force attack ...
Keywords:
Status: NEW
Alias: CVE-2026-23901
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-02-10 10:01 UTC by OSIDB Bzimport
Modified: 2026-02-18 08:29 UTC (History)
26 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-02-10 10:01:13 UTC 
Observable Timing Discrepancy vulnerability in Apache Shiro.

This issue affects Apache Shiro: from 1.*, 2.* before 2.0.7.

Users are recommended to upgrade to version 2.0.7 or later, which fixes the issue.

Prior to Shiro 2.0.7, code paths for non-existent vs. existing users are different enough,
that a brute-force attack may be able to tell, by timing the requests only, determine if
the request failed because of a non-existent user vs. wrong password.

The most likely attack vector is a local attack only.
Shiro security model  https://shiro.apache.org/security-model.html#username_enumeration  discusses this as well.

Typically, brute force attack can be mitigated at the infrastructure level.
Note You need to log in before you can comment on or make changes to this bug.