CVE-2026-23901

Observable Timing Discrepancy vulnerability in Apache Shiro. This issue affects Apache Shiro: from 1.*, 2.* before 2.0.7. Users are recommended to upgrade to version 2.0.7 or later, which fixes the issue. Prior to Shiro 2.0.7, code paths for non-existent vs. existing users are different enough, that a brute-force attack may be able to tell, by timing the requests only, determine if the request failed because of a non-existent user vs. wrong password. The most likely attack vector is a local attack only. Shiro security model https://shiro.apache.org/security-model.html#username_enumeration discusses this as well. Typically, brute force attack can be mitigated at the infrastructure level.

CVSS v3 2.5 LOW

2.5^/10

CVSS v3 : LOW

Vector :

Exploitability : 1.0 / Impact : 1.4

Attack Vector LOCAL

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://lists.apache.org/thread/mm1jct9b86jvnh3y44tj22xvjtx3xhhh	Issue Tracking Third Party Advisory Mailing List
http://www.openwall.com/lists/oss-security/2026/02/08/2	Mailing List Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:apache:shiro:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-02-10 10:15

Updated : 2026-02-12 15:30

NVD link : CVE-2026-23901

Mitre link : CVE-2026-23901

CVE.ORG link : CVE-2026-23901

JSON object : View

Products Affected

apache

shiro

CWE

CWE-208

Observable Timing Discrepancy

{"id": "CVE-2026-23901", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 2.5, "attackVector": "LOCAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 1.0}], "cvssMetricV40": [{"type": "Secondary", "source": "security@apache.org", "cvssData": {"Safety": "NEGLIGIBLE", "version": "4.0", "Recovery": "AUTOMATIC", "baseScore": 1.0, "Automatable": "YES", "attackVector": "LOCAL", "baseSeverity": "LOW", "valueDensity": "CONCENTRATED", "vectorString": "CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:A/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:A/V:C/RE:L/U:Green", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "GREEN", "userInteraction": "ACTIVE", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "LOW", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-02-10T10:15:59.240", "references": [{"url": "https://lists.apache.org/thread/mm1jct9b86jvnh3y44tj22xvjtx3xhhh", "tags": ["Issue Tracking", "Third Party Advisory", "Mailing List"], "source": "security@apache.org"}, {"url": "http://www.openwall.com/lists/oss-security/2026/02/08/2", "tags": ["Mailing List", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security@apache.org", "description": [{"lang": "en", "value": "CWE-208"}]}], "descriptions": [{"lang": "en", "value": "Observable Timing Discrepancy vulnerability in Apache Shiro.\n\nThis issue affects Apache Shiro: from 1.*, 2.* before 2.0.7.\n\nUsers are recommended to upgrade to version 2.0.7 or later, which fixes the issue.\n\nPrior to Shiro 2.0.7, code paths for non-existent vs. existing users are different enough,\nthat a brute-force attack may be able to tell, by timing the requests only, determine if\nthe request failed because of a non-existent user vs. wrong password.\n\nThe most likely attack vector is a local attack only.\nShiro security model\u00a0 https://shiro.apache.org/security-model.html#username_enumeration \u00a0discusses this as well.\n\nTypically, brute force attack can be mitigated at the infrastructure level."}, {"lang": "es", "value": "Vulnerabilidad de discrepancia de tiempo observable en Apache Shiro.\n\nEste problema afecta a Apache Shiro: desde 1.*, 2.* antes de 2.0.7.\n\nSe recomienda a los usuarios actualizar a la versi\u00f3n 2.0.7 o posterior, que soluciona el problema.\n\nAntes de Shiro 2.0.7, las rutas de c\u00f3digo para usuarios inexistentes frente a usuarios existentes son lo suficientemente diferentes como para que un ataque de fuerza bruta pueda discernir, solo cronometrando las solicitudes, si la solicitud fall\u00f3 debido a un usuario inexistente frente a una contrase\u00f1a incorrecta.\n\nEl vector de ataque m\u00e1s probable es solo un ataque local.\nEl modelo de seguridad de Shiro https://shiro.apache.org/security-model.html#username_enumeration tambi\u00e9n aborda esto.\n\nT\u00edpicamente, el ataque de fuerza bruta puede mitigarse a nivel de infraestructura."}], "lastModified": "2026-02-12T15:30:25.543", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:shiro:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9E1B2B45-F100-4693-9F70-FE8D342853A3", "versionEndExcluding": "2.0.7"}], "operator": "OR"}]}], "sourceIdentifier": "security@apache.org"}