Apache Shiro
CVE-2026-49268
HIGH
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/S:P/AU:Y/R:A/RE:L/U:Red
Network-reachable login with no auth or UI (AV:N/AC:L/PR:N/UI:N); integrity high due to authentication bypass/impersonation, confidentiality low from incidental data exposure, availability unaffected.
Primary rating from Vendor (apache).
CVSS VectorVendor: apache
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/S:P/AU:Y/R:A/RE:L/U:Red
Lifecycle Timeline
2DescriptionCVE.org
A remote attacker can inject LDAP special characters into the Distinguished Name (DN) construction in DefaultLdapRealm class. User-supplied username input is directly concatenated into the LDAP DN template without any escaping of RFC 2253 special characters. This allows an attacker to manipulate the DN structure used for LDAP bind authentication, potentially bypassing authentication or impersonating other users.
This issue affects all Apache Shiro versions through 2.2.0, and 3.0.0-alpha-1 when using DefaultLdapRealm Upgrade to Apache Shiro 2.2.1 or 3.0.0-alpha-2 or later, which fixes the issue.
AnalysisAI
LDAP injection in Apache Shiro's DefaultLdapRealm allows remote unauthenticated attackers to manipulate Distinguished Name construction during LDAP bind authentication, potentially bypassing authentication or impersonating other users. The flaw affects all versions through 2.2.0 and 3.0.0-alpha-1 when DefaultLdapRealm is in use, with no public exploit identified at time of analysis. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The target application must be configured to use Apache Shiro's DefaultLdapRealm for authentication and must be running a version through 2.2.0 or 3.0.0-alpha-1; deployments using other Shiro realms are not exploitable via this flaw. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector AV:N/AC:L/AT:N/PR:N/UI:N indicates a network-reachable, low-complexity, unauthenticated attack against the login surface, which is highly attractive to opportunistic and targeted attackers alike. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker submits a username such as `admin),0)(uid=*` or `admin\2C ou=admins` to a public-facing login form backed by Shiro's DefaultLdapRealm; the unescaped value is concatenated into the bind DN template, producing a DN that resolves to a privileged account or otherwise bypasses the intended identity check. Because no authentication or user interaction is required and complexity is low, this can be probed at scale against exposed Shiro-backed applications. … |
| Remediation | Vendor-released patch: upgrade to Apache Shiro 2.2.1 (for the 2.x line) or 3.0.0-alpha-2 or later (for the 3.x pre-release line), per the Apache advisory at https://lists.apache.org/thread/svszql3od8td7hn6conyj2oq70v53b5s. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all deployments of Apache Shiro versions ≤2.2.0 and 3.0.0-alpha-1 using DefaultLdapRealm. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Share
External POC / Exploit Code
Leaving vuln.today