CVE-2026-56091
Received Received - Intake
Authentication Bypass in Apache Shiro via shiro-guice

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: Apache Software Foundation

Description
When using Apache Shiro with the shiro-guice module in a web servlet context, a specially crafted HTTP request may cause an authentication bypass. This vulnerability is similar to https://www.cve.org/CVERecord?id=CVE-2020-1957 https://www.cve.org/CVERecord , except that it affects the `shiro-guice` module instead of the `shiro-spring` module. This issue affects all Apache Shiro versions through 2.x, and 3.0.0-alpha-1 only when using `shiro-guice` module in a web servlet context. Upgrade to version 3.0.0 or later, which fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-56091
EUVD
EUVD-2026-39230
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
apache shiro From 3.0.0 (inc)
apache shiro to 3.0.0-alpha-1 (exc)
apache shiro to 2.x (inc)
apache shiro to 2.x (exc)
apache shiro to 3.0.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-289 The product performs authentication based on the name of a resource being accessed, or the name of the actor performing the access, but it does not properly check all possible names for that resource or actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability occurs in Apache Shiro when using the shiro-guice module within a web servlet context. A specially crafted HTTP request can exploit this flaw to bypass authentication mechanisms.

It is similar to a previous vulnerability (CVE-2020-1957) but affects the shiro-guice module instead of the shiro-spring module.

The issue affects all Apache Shiro versions through 2.x and 3.0.0-alpha-1 when using the shiro-guice module in a web servlet context. Upgrading to version 3.0.0 or later resolves the problem.

Impact Analysis

This vulnerability can allow an attacker to bypass authentication by sending a specially crafted HTTP request. This means unauthorized users could gain access to protected resources or perform actions without proper credentials.

Such unauthorized access could lead to data exposure, unauthorized operations, or compromise of the affected system's security.

Mitigation Strategies

To mitigate this vulnerability, upgrade Apache Shiro to version 3.0.0 or later, which fixes the issue.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56091. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart