Description
Observable Timing Discrepancy vulnerability in Apache Shiro.

This issue affects Apache Shiro: from 1.*, 2.* before 2.0.7.

Users are recommended to upgrade to version 2.0.7 or later, which fixes the issue.

Prior to Shiro 2.0.7, code paths for non-existent vs. existing users are different enough,
that a brute-force attack may be able to tell, by timing the requests only, determine if
the request failed because of a non-existent user vs. wrong password.

The most likely attack vector is a local attack only.
Shiro security model  https://shiro.apache.org/security-model.html#username_enumeration  discusses this as well.

Typically, brute force attack can be mitigated at the infrastructure level.
Published: 2026-02-10
Score: 1 Low
EPSS: < 1% Very Low
KEV: No
Impact: Timing-based User Enumeration
Action: Patch
AI Analysis

Impact

Apache Shiro allows an attacker to determine whether a username exists purely by measuring the response time of authentication requests. Because the processing path differs for valid and invalid accounts, a brute‑force attacker can incrementally identify all legitimate usernames. The vulnerability is a timing attack, mapped to CWE‑208, and can lead to credential guessing and social engineering when used with other known weaknesses.

Affected Systems

The affected products are Apache Shiro, a security framework employed by many Java applications. Versions 1.* and any 2.* release prior to 2.0.7 are vulnerable. Apache Software Foundation product Shiro 1.0 through 2.0.6 lacks the patch that neutralizes the timing inconsistency.

Risk and Exploitability

The CVSS base score is 1, indicating a low severity assessment. EPSS indicates a very low exploitation probability (<1%). The vulnerability is not listed in CISA's KEV catalog. Exploitation requires local or network access to the Shiro authentication interface and relies on accurately timing responses, which is typically feasible in a sandboxed or moderately privileged environment. Attackers would need no additional privileges, but would benefit from privileged or local execution to capture precise timing, thus the risk level remains low but non‑negligible.

Generated by OpenCVE AI on April 17, 2026 at 20:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Shiro 2.0.7 or later.
  • Configure brute‑force protection and rate limiting on authentication endpoints.
  • If an immediate upgrade is not possible, enforce uniform authentication response times to hide timing differences.

Generated by OpenCVE AI on April 17, 2026 at 20:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-c4qc-4q9p-m9q9 Apache Shiro Affected by an Observable Timing Discrepancy Vulnerability
History

Thu, 12 Feb 2026 15:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:apache:shiro:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 2.9, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N'}

 cvssV3_1

{'score': 2.5, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Wed, 11 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 2.9, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N'}

threat_severity

Low

Tue, 10 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Feb 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache shiro
Vendors & Products Apache
Apache shiro

Tue, 10 Feb 2026 11:30:00 +0000

Type Values Removed Values Added
References

Tue, 10 Feb 2026 09:45:00 +0000

Type Values Removed Values Added
Description Observable Timing Discrepancy vulnerability in Apache Shiro. This issue affects Apache Shiro: from 1.*, 2.* before 2.0.7. Users are recommended to upgrade to version 2.0.7 or later, which fixes the issue. Prior to Shiro 2.0.7, code paths for non-existent vs. existing users are different enough, that a brute-force attack may be able to tell, by timing the requests only, determine if the request failed because of a non-existent user vs. wrong password. The most likely attack vector is a local attack only. Shiro security model  https://shiro.apache.org/security-model.html#username_enumeration  discusses this as well. Typically, brute force attack can be mitigated at the infrastructure level.
Title Apache Shiro: Brute force attack possible to determine valid user names
Weaknesses CWE-208
References
Metrics cvssV4_0

{'score': 1, 'vector': 'CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:A/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/S:N/AU:Y/R:A/V:C/RE:L/U:Green'}

Subscriptions

Apache Shiro
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-02-10T15:31:25.166Z

Reserved: 2026-01-17T18:01:53.140Z

Link: CVE-2026-23901

cve-icon Vulnrichment

Updated: 2026-02-10T10:22:44.721Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-10T10:15:59.240

Modified: 2026-02-12T15:30:25.543

Link: CVE-2026-23901

cve-icon Redhat

Severity : Low

Publid Date: 2026-02-10T09:25:51Z

Links: CVE-2026-23901 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T21:00:12Z

Weaknesses