CVE-2026-23903
MEDIUMApache Shiro < 2.0.7 - Authentication Bypass via Case-Insensitive Static File Request
Title source: llmDescription
Authentication Bypass by Alternate Name vulnerability in Apache Shiro. This issue affects Apache Shiro: before 2.0.7. Users are recommended to upgrade to version 2.0.7, which fixes the issue. The issue only effects static files. If static files are served from a case-insensitive filesystem, such as default macOS setup, static files may be accessed by varying the case of the filename in the request. If only lower-case (common default) filters are present in Shiro, they may be bypassed this way. Shiro 2.0.7 and later has a new parameters to remediate this issue shiro.ini: filterChainResolver.caseInsensitive = true application.propertie: shiro.caseInsensitive=true Shiro 3.0.0 and later (upcoming) makes this the default.
References (2)
Core 2
Core References
Mailing List, Vendor Advisory vendor-advisory
https://lists.apache.org/thread/5jjf0hnjcol58z2m5y255c7scz1lnp8k
Mailing List, Third Party Advisory
http://www.openwall.com/lists/oss-security/2026/02/08/1
Scores
CVSS v3
5.3
EPSS
0.0010
EPSS Percentile
27.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-289
Status
published
Products (2)
apache/shiro
< 2.0.7
org.apache.shiro/shiro-spring
0 - 2.1.0Maven
Published
Feb 09, 2026
Tracked Since
Feb 18, 2026