CVE-2026-49268
CRITICALApache Shiro: LDAP DN Injection in DefaultLdapRealm
Title source: cnaDescription
A remote attacker can inject LDAP special characters into the Distinguished Name (DN) construction in DefaultLdapRealm class. User-supplied username input is directly concatenated into the LDAP DN template without any escaping of RFC 2253 special characters. This allows an attacker to manipulate the DN structure used for LDAP bind authentication, potentially bypassing authentication or impersonating other users. This issue affects all Apache Shiro versions through 2.2.0, and 3.0.0-alpha-1 when using DefaultLdapRealm Upgrade to Apache Shiro 2.2.1 or 3.0.0-alpha-2 or later, which fixes the issue.
References (2)
Core 2
Core References
Vendor Advisory vendor-advisory
https://lists.apache.org/thread/svszql3od8td7hn6conyj2oq70v53b5s
Scores
CVSS v3
9.1
EPSS
0.0049
EPSS Percentile
39.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-90
Status
published
Products (6)
apache/shiro
3.0.0 alpha1
apache/shiro
< 2.2.1
Apache Software Foundation/Apache Shiro
< 2.2.0
Apache Software Foundation/Apache Shiro
3.0.0-alpha-0 - 3.0.0-alpha-1
org.apache.shiro/shiro-core
0 - 2.2.1Maven
org.apache.shiro/shiro-core
3.0.0-alpha-0 - 3.0.0-alpha-2Maven
Published
Jun 17, 2026
Tracked Since
Jun 17, 2026