Description
Authentication Bypass by Alternate Name vulnerability in Apache Shiro.

This issue affects Apache Shiro: before 2.0.7.

Users are recommended to upgrade to version 2.0.7, which fixes the issue.

The issue only effects static files. If static files are served from a case-insensitive filesystem,
such as default macOS setup, static files may be accessed by varying the case of the filename in the request.
If only lower-case (common default) filters are present in Shiro, they may be bypassed this way.

Shiro 2.0.7 and later has a new parameters to remediate this issue
shiro.ini: filterChainResolver.caseInsensitive = true
application.propertie: shiro.caseInsensitive=true

Shiro 3.0.0 and later (upcoming) makes this the default.
Published: 2026-02-09
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Authentication Bypass for static file access
Action: Patch
AI Analysis

Impact

The vulnerability allows an attacker to bypass authentication filters when accessing static files served from a case‑insensitive filesystem, such as the default macOS setup. If the application delivers static content and the filesystem treats uppercase and lowercase file names as equivalent, an attacker can change the case of the file name in the HTTP request to circumvent the configured filters that only detect lower‑case names. This leads to unauthorized access to protected static resources rather than the entire application, but it still allows leakage of potentially sensitive data.

Affected Systems

All releases of Apache Shiro prior to 2.0.7 are affected. The issue is addressed in 2.0.7, which introduces a new parameter in shiro.ini or application.properties that enables case‑insensitive filter resolution when true. Future versions 3.0.0 and later make this behaviour the default.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, while the EPSS score of less than 1% suggests very low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw remotely via HTTP requests by altering the case of a static file name; no special privileges or local access are required. Given the moderate score but low likelihood of exploitation, the overall risk remains moderate, but patching is recommended to eliminate the possibility of unauthorized static content exposure.

Generated by OpenCVE AI on April 18, 2026 at 18:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache Shiro to version 2.0.7 or later
  • If upgrade is not immediately possible, enable case‑insensitive filter resolution by setting filterChainResolver.caseInsensitive=true in shiro.ini or shiro.caseInsensitive=true in application.properties
  • As a temporary safeguard, configure the application to serve static files only from lower‑case filenames or restrict static file access to authenticated users, ensuring that case‑based bypass is mitigated

Generated by OpenCVE AI on April 18, 2026 at 18:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-c244-p6m5-vqj6 Apache Shiro has an Authentication Bypass
History

Wed, 11 Feb 2026 18:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:apache:shiro:*:*:*:*:*:*:*:*

Tue, 10 Feb 2026 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache shiro
Vendors & Products Apache
Apache shiro

Tue, 10 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Mon, 09 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Feb 2026 11:30:00 +0000

Type Values Removed Values Added
References

Mon, 09 Feb 2026 09:45:00 +0000

Type Values Removed Values Added
Description Authentication Bypass by Alternate Name vulnerability in Apache Shiro. This issue affects Apache Shiro: before 2.0.7. Users are recommended to upgrade to version 2.0.7, which fixes the issue. The issue only effects static files. If static files are served from a case-insensitive filesystem, such as default macOS setup, static files may be accessed by varying the case of the filename in the request. If only lower-case (common default) filters are present in Shiro, they may be bypassed this way. Shiro 2.0.7 and later has a new parameters to remediate this issue shiro.ini: filterChainResolver.caseInsensitive = true application.propertie: shiro.caseInsensitive=true Shiro 3.0.0 and later (upcoming) makes this the default.
Title Apache Shiro: Auth bypass when accessing static files only on case-insensitive filesystems
Weaknesses CWE-289
References

Subscriptions

Apache Shiro
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-02-09T16:17:43.204Z

Reserved: 2026-01-19T01:14:40.103Z

Link: CVE-2026-23903

cve-icon Vulnrichment

Updated: 2026-02-09T10:25:43.212Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-09T10:15:57.520

Modified: 2026-02-11T18:30:59.070

Link: CVE-2026-23903

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-02-09T09:26:21Z

Links: CVE-2026-23903 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T18:30:07Z

Weaknesses