Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher
Description
Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Shiro before 1.10.0 contains an authentication bypass vulnerability when forwarding or including via RequestDispatcher.
Vulnerability
Description
Apache Shiro prior to version 1.10.0 is vulnerable to an authentication bypass that occurs when the application uses RequestDispatcher.forward() or RequestDispatcher.include() [1][4]. The root cause is that Shiro's filtering mechanism does not properly handle requests that are forwarded or included, potentially allowing unauthenticated access to protected resources.
Exploitation
An attacker can exploit this vulnerability by crafting a request that triggers a forward or include operation, bypassing the authentication checks that would normally be applied [2]. No special privileges are required, as the attack is performed remotely over the network. The vulnerability is present in applications using Apache Shiro's servlet filter integration.
Impact
Successful exploitation allows an attacker to bypass authentication and access protected pages or endpoints without proper credentials. This could lead to unauthorized information disclosure, privilege escalation, or further system compromise.
Mitigation
The vulnerability is fixed in Apache Shiro version 1.10.0 [2][4]. Users are strongly advised to upgrade to this version or later. No workarounds are currently available for earlier versions.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.shiro:shiro-coreMaven | < 1.10.0 | 1.10.0 |
Affected products
2- Apache Software Foundation/Apache Shirov5Range: Apache Shiro
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
9- github.com/advisories/GHSA-45x9-q6vj-cqgqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-40664ghsaADVISORY
- www.openwall.com/lists/oss-security/2022/10/12/1ghsamailing-listWEB
- www.openwall.com/lists/oss-security/2022/10/12/2ghsamailing-listWEB
- www.openwall.com/lists/oss-security/2022/10/13/1ghsamailing-listWEB
- lists.apache.org/thread/loc2ktxng32xpy7lfwxto13k4lvnhjwgghsaWEB
- security.netapp.com/advisory/ntap-20221118-0005ghsaWEB
- shiro.apache.org/blog/2022/10/10/2022/apache-shiro-1101-released.htmlghsaWEB
- security.netapp.com/advisory/ntap-20221118-0005/mitre
News mentions
0No linked articles in our index yet.