CVE-2026-23901
Timing Side-Channel User Enumeration in Apache Shiro Before
Publication date: 2026-02-10
Last updated on: 2026-02-12
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | shiro | to 2.0.7 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-208 | Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-23901 is a low-severity vulnerability in Apache Shiro versions 1.* up to before 2.0.7 involving an observable timing discrepancy.
The vulnerability arises because the code paths for handling authentication failures differ in timing when the username does not exist versus when the password is incorrect for an existing user.
An attacker can exploit this timing difference by measuring how long authentication requests take to fail, thereby distinguishing valid usernames from non-existent ones.
This enables username enumeration through timing analysis, primarily in local attack scenarios.
The issue is fixed in Apache Shiro version 2.0.7 and later.
How can this vulnerability impact me? :
This vulnerability allows an attacker to perform username enumeration by distinguishing valid usernames from invalid ones based on timing differences during authentication failures.
With valid usernames identified, an attacker can focus brute-force password attacks more effectively.
However, the attack vector is primarily local, and brute-force attacks can often be mitigated at the infrastructure level.
Overall, the impact is considered low severity but could aid attackers in compromising user accounts if combined with other weaknesses.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by performing timing analysis on authentication requests to Apache Shiro. Specifically, by measuring the time taken for authentication failures, an attacker or tester can distinguish between non-existent usernames and existing usernames with incorrect passwords due to observable timing discrepancies.
Detection involves sending multiple authentication requests with different usernames and measuring the response times to identify statistically significant differences.
No specific commands are provided in the available resources, but typical approaches might include using tools like curl or custom scripts to automate authentication attempts and measure response times.
What immediate steps should I take to mitigate this vulnerability?
The primary immediate step to mitigate this vulnerability is to upgrade Apache Shiro to version 2.0.7 or later, where the issue has been fixed.
Additionally, mitigation can be implemented at the infrastructure level to prevent brute-force attacks, such as rate limiting, account lockout policies, or other brute-force protections.