CVE-2026-49268
Analyzed Analyzed - Analysis Complete

LDAP Injection in Apache Shiro DefaultLdapRealm

Vulnerability report for CVE-2026-49268, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-17

Last updated on: 2026-06-18

Assigner: Apache Software Foundation

Description

A remote attacker can inject LDAP special characters into the Distinguished Name (DN) construction in DefaultLdapRealm class. User-supplied username input is directly concatenated into the LDAP DN template without any escaping of RFC 2253 special characters. This allows an attacker to manipulate the DN structure used for LDAP bind authentication, potentially bypassing authentication or impersonating other users. This issue affects all Apache Shiro versions through 2.2.0, and 3.0.0-alpha-1 when usingΒ DefaultLdapRealm Upgrade to Apache Shiro 2.2.1 or 3.0.0-alpha-2 or later, which fixes the issue.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-17
Last Modified
2026-06-18
Generated
2026-07-08
AI Q&A
2026-06-17
EPSS Evaluated
2026-07-06
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
apache shiro 3.0.0
apache shiro to 2.2.1 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-90 The product constructs all or part of an LDAP query using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended LDAP query when it is sent to a downstream component.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability occurs because the DefaultLdapRealm class in Apache Shiro directly concatenates user-supplied username input into the LDAP Distinguished Name (DN) template without escaping special characters defined by RFC 2253.

An attacker can inject LDAP special characters into the DN construction, which allows them to manipulate the DN structure used for LDAP bind authentication.

This manipulation can potentially let the attacker bypass authentication or impersonate other users.

Impact Analysis

The vulnerability can allow a remote attacker to bypass authentication mechanisms or impersonate other users by injecting special LDAP characters into the DN.

This can lead to unauthorized access to systems or data protected by Apache Shiro's LDAP authentication.

Mitigation Strategies

To mitigate this vulnerability, upgrade Apache Shiro to version 2.2.1 or later, or to 3.0.0-alpha-2 or later if using the 3.x alpha releases.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49268. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart