CVE-2026-23901
Analyzed Analyzed - Analysis Complete
Timing Side-Channel User Enumeration in Apache Shiro Before

Publication date: 2026-02-10

Last updated on: 2026-02-12

Assigner: Apache Software Foundation

Description
Observable Timing Discrepancy vulnerability in Apache Shiro. This issue affects Apache Shiro: from 1.*, 2.* before 2.0.7. Users are recommended to upgrade to version 2.0.7 or later, which fixes the issue. Prior to Shiro 2.0.7, code paths for non-existent vs. existing users are different enough, that a brute-force attack may be able to tell, by timing the requests only, determine if the request failed because of a non-existent user vs. wrong password. The most likely attack vector is a local attack only. Shiro security modelΒ  https://shiro.apache.org/security-model.html#username_enumeration Β discusses this as well. Typically, brute force attack can be mitigated at the infrastructure level.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-10
Last Modified
2026-02-12
Generated
2026-06-16
AI Q&A
2026-02-10
EPSS Evaluated
2026-06-14
NVD
CVE-2026-23901
EUVD
EUVD-2026-6879
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
apache shiro to 2.0.7 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-208 Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-23901 is a low-severity vulnerability in Apache Shiro versions 1.* up to before 2.0.7 involving an observable timing discrepancy.

The vulnerability arises because the code paths for handling authentication failures differ in timing when the username does not exist versus when the password is incorrect for an existing user.

An attacker can exploit this timing difference by measuring how long authentication requests take to fail, thereby distinguishing valid usernames from non-existent ones.

This enables username enumeration through timing analysis, primarily in local attack scenarios.

The issue is fixed in Apache Shiro version 2.0.7 and later.

Impact Analysis

This vulnerability allows an attacker to perform username enumeration by distinguishing valid usernames from invalid ones based on timing differences during authentication failures.

With valid usernames identified, an attacker can focus brute-force password attacks more effectively.

However, the attack vector is primarily local, and brute-force attacks can often be mitigated at the infrastructure level.

Overall, the impact is considered low severity but could aid attackers in compromising user accounts if combined with other weaknesses.

Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by performing timing analysis on authentication requests to Apache Shiro. Specifically, by measuring the time taken for authentication failures, an attacker or tester can distinguish between non-existent usernames and existing usernames with incorrect passwords due to observable timing discrepancies.

Detection involves sending multiple authentication requests with different usernames and measuring the response times to identify statistically significant differences.

No specific commands are provided in the available resources, but typical approaches might include using tools like curl or custom scripts to automate authentication attempts and measure response times.

Mitigation Strategies

The primary immediate step to mitigate this vulnerability is to upgrade Apache Shiro to version 2.0.7 or later, where the issue has been fixed.

Additionally, mitigation can be implemented at the infrastructure level to prevent brute-force attacks, such as rate limiting, account lockout policies, or other brute-force protections.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23901. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart