Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass
Description
Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass. Users should update to Apache Shiro 1.8.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Shiro before 1.8.0 with Spring Boot allows authentication bypass via crafted HTTP request.
Vulnerability
Apache Shiro versions prior to 1.8.0, when used with Spring Boot, are vulnerable to an authentication bypass. A specially crafted HTTP request can exploit this flaw, allowing an attacker to bypass security controls. The vulnerability exists in the default configuration when Shiro integrates with Spring Boot's auto-configuration. [1]
Exploitation
An attacker only needs network access to the target application. No prior authentication is required. The attacker crafts a malicious HTTP request that manipulates the authentication process, leading to bypass. The exact request structure is not publicly detailed but leverages Shiro's handling of specially crafted inputs. [1]
Impact
Successful exploitation results in authentication bypass. The attacker can gain unauthorized access to protected resources or perform actions as any user without valid credentials. This compromises the confidentiality, integrity, and availability of the application. [1]
Mitigation
Users should upgrade to Apache Shiro version 1.8.0 or later, which contains the fix. No workarounds are provided in the available references. The fix was released in September 2021. [1]
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.shiro:shiro-coreMaven | < 1.8.0 | 1.8.0 |
Affected products
8- osv-coords7 versionspkg:deb/ubuntu/shiro?arch=src?distro=esm-apps/bionicpkg:deb/ubuntu/shiro?arch=src?distro=esm-apps/xenialpkg:deb/ubuntu/shiro?arch=src?distro=focalpkg:deb/ubuntu/shiro?arch=src?distro=jammypkg:deb/ubuntu/shiro?arch=src?distro=noblepkg:deb/ubuntu/shiro?arch=src?distro=oracularpkg:maven/org.apache.shiro/shiro-core
>= 0+ 6 more
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: < 1.8.0
- Apache Software Foundation/Apache Shirov5Range: Apache Shiro
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- github.com/advisories/GHSA-f6jp-j6w3-w9hmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-41303ghsaADVISORY
- lists.apache.org/thread.html/raae98bb934e4bde304465896ea02d9798e257e486d04a42221e2c41b%40%3Cuser.shiro.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/raae98bb934e4bde304465896ea02d9798e257e486d04a42221e2c41b@%3Cuser.shiro.apache.org%3EghsaWEB
- lists.apache.org/thread.html/re470be1ffea44bca28ccb0e67a4cf5d744e2d2b981d00fdbbf5abc13%40%3Cannounce.shiro.apache.org%3Eghsax_refsource_MISCWEB
- security.netapp.com/advisory/ntap-20220609-0001ghsaWEB
- security.netapp.com/advisory/ntap-20220609-0001/mitrex_refsource_CONFIRM
- www.oracle.com/security-alerts/cpujul2022.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.