Description
A remote attacker can inject LDAP special characters into the Distinguished Name (DN) construction in DefaultLdapRealm class. User-supplied username input is directly concatenated into the LDAP DN template without any escaping of RFC 2253 special characters. This allows an attacker to manipulate the DN structure used for LDAP bind authentication, potentially bypassing authentication or impersonating other users.

This issue affects all Apache Shiro versions through 2.2.0, and 3.0.0-alpha-1 when using DefaultLdapRealm
Upgrade to Apache Shiro 2.2.1 or 3.0.0-alpha-2 or later, which fixes the issue.
Published: 2026-06-17
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw in Apache Shiro's DefaultLdapRealm enables LDAP DN injection. A remote attacker can craft a username containing RFC 2253 special characters that are concatenated directly into the DN template without escaping, allowing manipulation of the DN used for LDAP bind authentication. This can result in authentication bypass or user impersonation.

Affected Systems

All Apache Shiro releases up to and including version 2.2.0, and the 3.0.0‑alpha-1 build that employs DefaultLdapRealm are affected. Upgrading to Apache Shiro 2.2.1 or 3.0.0‑alpha-2 or later fixes the vulnerability.

Risk and Exploitability

The vulnerability receives a CVSS score of 8.8, denoting high severity. No EPSS score is publicly available, and it is not listed in CISA’s KEV database. The likely attack vector is remote unauthenticated access, where the attacker supplies a crafted username containing LDAP special characters over the network to trigger the injection. Based on the description, it is inferred that no prior authentication is required to exploit the flaw. Because the injection can modify the LDAP DN structure, the attacker can bypass authentication or impersonate other users, potentially compromising confidentiality and integrity.

Generated by OpenCVE AI on June 18, 2026 at 13:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor patch by upgrading to Apache Shiro 2.2.1 or newer releases.
  • Sanitize user input by escaping RFC 2253 special characters before concatenating into the DN template as a temporary mitigation.
  • Restrict application access to trusted networks or employ authentication mechanisms that do not rely on DefaultLdapRealm.

Generated by OpenCVE AI on June 18, 2026 at 13:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-x96m-rh44-vgv8 Apache Shiro: LDAP DN Injection in DefaultLdapRealm
History

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache shiro
Vendors & Products Apache
Apache shiro
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
Description A remote attacker can inject LDAP special characters into the Distinguished Name (DN) construction in DefaultLdapRealm class. User-supplied username input is directly concatenated into the LDAP DN template without any escaping of RFC 2253 special characters. This allows an attacker to manipulate the DN structure used for LDAP bind authentication, potentially bypassing authentication or impersonating other users. This issue affects all Apache Shiro versions through 2.2.0, and 3.0.0-alpha-1 when using DefaultLdapRealm Upgrade to Apache Shiro 2.2.1 or 3.0.0-alpha-2 or later, which fixes the issue.
Title Apache Shiro: LDAP DN Injection in DefaultLdapRealm
Weaknesses CWE-90
References
Metrics cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/S:P/AU:Y/R:A/RE:L/U:Red'}


cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-06-17T17:02:22.861Z

Reserved: 2026-05-28T17:20:37.590Z

Link: CVE-2026-49268

cve-icon Vulnrichment

Updated: 2026-06-17T17:02:22.861Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T14:00:16Z

Weaknesses
  • CWE-90

    Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')