CVE-2026-23901 — Vulnetix

CVE-2026-23901 PUBLISHED CVSS 1 LOW

Observable Timing Discrepancy vulnerability in Apache Shiro. This issue affects Apache Shiro: from 1.*, 2.* before 2.0.7. Users are recommended to upgrade to version 2.0.7 or later, which fixes the issue. Prior to Shiro 2.0.7, code paths for non-existent vs. existing users are different enough, that a brute-force attack may be able to tell, by timing the requests only, determine if the request failed because of a non-existent user vs. wrong password. The most likely attack vector is a local attack only. Shiro security model https://shiro.apache.org/security-model.html#username_enumeration discusses this as well. Typically, brute force attack can be mitigated at the infrastructure level.

EPSS 0.01% · 0.9th percentile

Risk Scores

CVSS v4.0

CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:A/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/S:N/AU:Y/R:A/V:C/RE:L/U:Green

EPSS Score

0.01%

0.9th percentile

Affected Products

Vendor	Product	Versions
apache	shiro	0, 0
Maven	org.apache.shiro:shiro-core	0, 0
Apache Software Foundation	Apache Shiro	0, 0

Timeline

Feb 8, 2026 PoC Published
Feb 8, 2026 PoC Published
Feb 10, 2026 CVE Published
Feb 10, 2026 EPSS Score
Feb 10, 2026 PoC Published
Feb 12, 2026 EPSS Score
Feb 14, 2026 EPSS Score
Feb 16, 2026 EPSS Score
Feb 18, 2026 EPSS Score
Feb 20, 2026 EPSS Score
Feb 22, 2026 EPSS Score
Feb 24, 2026 EPSS Score

References

https://lists.apache.org/thread/mm1jct9b86jvnh3y44tj22xvjtx3xhhh vendor-advisory
http://www.openwall.com/lists/oss-security/2026/02/08/2 url
https://nvd.nist.gov/vuln/detail/CVE-2026-23901 advisory
https://github.com/apache/shiro package

Open in Interactive Console →