CVE-2026-23901

LOW EPSS 12.3%
Published Feb 10, 20264mo ago · Modified Jun 17, 20262w ago
1.0 CVSS 4.0
Low
Find Similar
Published Feb 10, 2026 4mo ago
Last Modified Jun 17, 2026 2w ago

Description

Observable Timing Discrepancy vulnerability in Apache Shiro. This issue affects Apache Shiro: from 1.*, 2.* before 2.0.7. Users are recommended to upgrade to version 2.0.7 or later, which fixes the issue. Prior to Shiro 2.0.7, code paths for non-existent vs. existing users are different enough, that a brute-force attack may be able to tell, by timing the requests only, determine if the request failed because of a non-existent user vs. wrong password. The most likely attack vector is a local attack only. Shiro security model  https://shiro.apache.org/security-model.html#username_enumeration  discusses this as well. Typically, brute force attack can be mitigated at the infrastructure level.

CVSS Details

Base Score
1.0
Exploitability
Impact
Vector string
CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:A/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:A/V:C/RE:L/U:Green
Attack Vector Local
Attack Complexity High
Privileges Required Low
User Interaction A
Scope N

Threat Intelligence

EPSS Exploit Probability
12.3% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 1

CWE-208

Affected Products 1

VendorProductVersionRange
apacheshiro* <2.0.7

References 2

  • openwall.com http://www.openwall.com/lists/oss-security/2026/02/08/2
    Mailing ListThird Party Advisory
  • lists.apache.org https://lists.apache.org/thread/mm1jct9b86jvnh3y44tj22xvjtx3xhhh
    Issue TrackingMailing ListThird Party Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.