CVE-2026-56091
Deferred Deferred - Pending Action

Authentication Bypass in Apache Shiro via shiro-guice

Vulnerability report for CVE-2026-56091, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: Apache Software Foundation

Description

When using Apache Shiro with the shiro-guice module in a web servlet context, a specially crafted HTTP request may cause an authentication bypass. This vulnerability is similar to https://www.cve.org/CVERecord?id=CVE-2020-1957 https://www.cve.org/CVERecord , except that it affects the `shiro-guice` module instead of the `shiro-spring` module. This issue affects all Apache Shiro versions through 2.x, and 3.0.0-alpha-1 only when using `shiro-guice` module in a web servlet context. Upgrade to version 3.0.0 or later, which fixes the issue.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-07-15
AI Q&A
2026-06-25
EPSS Evaluated
2026-07-14
NVD
EUVD

Affected Vendors & Products

Showing 5 associated CPEs
Vendor Product Version / Range
apache shiro From 3.0.0 (inc)
apache shiro to 3.0.0-alpha-1 (exc)
apache shiro to 2.x (inc)
apache shiro to 2.x (exc)
apache shiro to 3.0.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-289 The product performs authentication based on the name of a resource being accessed, or the name of the actor performing the access, but it does not properly check all possible names for that resource or actor.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability occurs in Apache Shiro when using the shiro-guice module within a web servlet context. A specially crafted HTTP request can exploit this flaw to bypass authentication mechanisms.

It is similar to a previous vulnerability (CVE-2020-1957) but affects the shiro-guice module instead of the shiro-spring module.

The issue affects all Apache Shiro versions through 2.x and 3.0.0-alpha-1 when using the shiro-guice module in a web servlet context. Upgrading to version 3.0.0 or later resolves the problem.

Impact Analysis

This vulnerability can allow an attacker to bypass authentication by sending a specially crafted HTTP request. This means unauthorized users could gain access to protected resources or perform actions without proper credentials.

Such unauthorized access could lead to data exposure, unauthorized operations, or compromise of the affected system's security.

Mitigation Strategies

To mitigate this vulnerability, upgrade Apache Shiro to version 3.0.0 or later, which fixes the issue.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56091. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart