CVE-2026-49268
Awaiting Analysis Awaiting Analysis - Queue
LDAP Injection in Apache Shiro DefaultLdapRealm

Publication date: 2026-06-17

Last updated on: 2026-06-17

Assigner: Apache Software Foundation

Description
A remote attacker can inject LDAP special characters into the Distinguished Name (DN) construction in DefaultLdapRealm class. User-supplied username input is directly concatenated into the LDAP DN template without any escaping of RFC 2253 special characters. This allows an attacker to manipulate the DN structure used for LDAP bind authentication, potentially bypassing authentication or impersonating other users. This issue affects all Apache Shiro versions through 2.2.0, and 3.0.0-alpha-1 when usingΒ DefaultLdapRealm Upgrade to Apache Shiro 2.2.1 or 3.0.0-alpha-2 or later, which fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-17
Last Modified
2026-06-17
Generated
2026-06-17
AI Q&A
2026-06-17
EPSS Evaluated
N/A
NVD
CVE-2026-49268
EUVD
EUVD-2026-37701
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
apache shiro to 2.2.1 (exc)
apache shiro to 3.0.0-alpha-2 (exc)
apache shiro 2.2.1
apache shiro 3.0.0-alpha-2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-90 The product constructs all or part of an LDAP query using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended LDAP query when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability occurs because the DefaultLdapRealm class in Apache Shiro directly concatenates user-supplied username input into the LDAP Distinguished Name (DN) template without escaping special characters defined by RFC 2253.

An attacker can inject LDAP special characters into the DN construction, which allows them to manipulate the DN structure used for LDAP bind authentication.

This manipulation can potentially let the attacker bypass authentication or impersonate other users.

Impact Analysis

The vulnerability can allow a remote attacker to bypass authentication mechanisms or impersonate other users by injecting special LDAP characters into the DN.

This can lead to unauthorized access to systems or data protected by Apache Shiro's LDAP authentication.

Mitigation Strategies

To mitigate this vulnerability, upgrade Apache Shiro to version 2.2.1 or later, or to 3.0.0-alpha-2 or later if using the 3.x alpha releases.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49268. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart