CVE-2026-49268

HIGH EPSS 38.7%

Published Jun 17, 20261w ago · Modified Jun 18, 20261w ago

8.8 CVSS 4.0

High

Published Jun 17, 2026 1w ago

Last Modified Jun 18, 2026 1w ago

Description

A remote attacker can inject LDAP special characters into the Distinguished Name (DN) construction in DefaultLdapRealm class. User-supplied username input is directly concatenated into the LDAP DN template without any escaping of RFC 2253 special characters. This allows an attacker to manipulate the DN structure used for LDAP bind authentication, potentially bypassing authentication or impersonating other users. This issue affects all Apache Shiro versions through 2.2.0, and 3.0.0-alpha-1 when using DefaultLdapRealm Upgrade to Apache Shiro 2.2.1 or 3.0.0-alpha-2 or later, which fixes the issue.

CVSS Details

Base Score

8.8

Exploitability

—

Impact

—

Vector string

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:A/V:X/RE:L/U:Red

Attack Vector Network

Attack Complexity Low

Privileges Required None

User Interaction None

Scope P

Threat Intelligence

EPSS Exploit Probability

38.7% percentile

Exploit & Patch Status

No Known Exploit

No Patch Available

Weaknesses 1

CWE-90

Affected Products 2

Vendor	Product	Version	Range
apache	shiro	*	<2.2.1
apache	shiro	3.0.0	any

References 2

openwall.com http://www.openwall.com/lists/oss-security/2026/06/17/8

Third Party Advisory
lists.apache.org https://lists.apache.org/thread/svszql3od8td7hn6conyj2oq70v53b5s

Mailing ListVendor Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.