CVE-2026-23903
Analyzed Analyzed - Analysis Complete

Authentication Bypass in Apache Shiro Static File Handling

Vulnerability report for CVE-2026-23903, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-02-09

Last updated on: 2026-02-11

Assigner: Apache Software Foundation

Description

Authentication Bypass by Alternate Name vulnerability in Apache Shiro. This issue affects Apache Shiro: before 2.0.7. Users are recommended to upgrade to version 2.0.7, which fixes the issue. The issue only effects static files. If static files are served from a case-insensitive filesystem, such as default macOS setup, static files may be accessed by varying the case of the filename in the request. If only lower-case (common default) filters are present in Shiro, they may be bypassed this way. Shiro 2.0.7 and later has a new parameters to remediate this issue shiro.ini: filterChainResolver.caseInsensitive = true application.propertie: shiro.caseInsensitive=true Shiro 3.0.0 and later (upcoming) makes this the default.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-02-09
Last Modified
2026-02-11
Generated
2026-07-06
AI Q&A
2026-02-09
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
apache shiro to 2.0.7 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-289 The product performs authentication based on the name of a resource being accessed, or the name of the actor performing the access, but it does not properly check all possible names for that resource or actor.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is an Authentication Bypass by Alternate Name issue in Apache Shiro versions before 2.0.7.

It affects static files served from case-insensitive filesystems (like the default macOS setup), allowing access to static files by varying the case of the filename in the request.

If only lower-case filters are used in Shiro, this case variation can bypass those filters, leading to unauthorized access.

The issue is fixed in Apache Shiro version 2.0.7 by introducing parameters to handle case insensitivity in filter chains.

Impact Analysis

This vulnerability can allow unauthorized users to access static files that should be protected by authentication filters.

If your system serves static files from a case-insensitive filesystem and uses Apache Shiro versions before 2.0.7 without proper configuration, attackers may bypass security filters by altering the case of filenames.

This could lead to exposure of sensitive static content that was intended to be restricted.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate the Authentication Bypass by Alternate Name vulnerability in Apache Shiro, users are recommended to upgrade to version 2.0.7 or later, which fixes the issue.

Additionally, you can configure Shiro to handle case insensitivity properly by setting the following parameters:

  • In shiro.ini: filterChainResolver.caseInsensitive = true
  • In application.properties: shiro.caseInsensitive=true

Note that Shiro 3.0.0 and later will make this case-insensitive handling the default behavior.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23903. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart