CVE-2026-23903
Analyzed Analyzed - Analysis Complete
Authentication Bypass in Apache Shiro Static File Handling

Publication date: 2026-02-09

Last updated on: 2026-02-11

Assigner: Apache Software Foundation

Description
Authentication Bypass by Alternate Name vulnerability in Apache Shiro. This issue affects Apache Shiro: before 2.0.7. Users are recommended to upgrade to version 2.0.7, which fixes the issue. The issue only effects static files. If static files are served from a case-insensitive filesystem, such as default macOS setup, static files may be accessed by varying the case of the filename in the request. If only lower-case (common default) filters are present in Shiro, they may be bypassed this way. Shiro 2.0.7 and later has a new parameters to remediate this issue shiro.ini: filterChainResolver.caseInsensitive = true application.propertie: shiro.caseInsensitive=true Shiro 3.0.0 and later (upcoming) makes this the default.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-09
Last Modified
2026-02-11
Generated
2026-06-16
AI Q&A
2026-02-09
EPSS Evaluated
2026-06-15
NVD
CVE-2026-23903
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
apache shiro to 2.0.7 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-289 The product performs authentication based on the name of a resource being accessed, or the name of the actor performing the access, but it does not properly check all possible names for that resource or actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is an Authentication Bypass by Alternate Name issue in Apache Shiro versions before 2.0.7.

It affects static files served from case-insensitive filesystems (like the default macOS setup), allowing access to static files by varying the case of the filename in the request.

If only lower-case filters are used in Shiro, this case variation can bypass those filters, leading to unauthorized access.

The issue is fixed in Apache Shiro version 2.0.7 by introducing parameters to handle case insensitivity in filter chains.

Impact Analysis

This vulnerability can allow unauthorized users to access static files that should be protected by authentication filters.

If your system serves static files from a case-insensitive filesystem and uses Apache Shiro versions before 2.0.7 without proper configuration, attackers may bypass security filters by altering the case of filenames.

This could lead to exposure of sensitive static content that was intended to be restricted.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate the Authentication Bypass by Alternate Name vulnerability in Apache Shiro, users are recommended to upgrade to version 2.0.7 or later, which fixes the issue.

Additionally, you can configure Shiro to handle case insensitivity properly by setting the following parameters:

  • In shiro.ini: filterChainResolver.caseInsensitive = true
  • In application.properties: shiro.caseInsensitive=true

Note that Shiro 3.0.0 and later will make this case-insensitive handling the default behavior.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23903. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart