Apache Shiro: Brute force attack possible to determine valid user names
Description
Observable Timing Discrepancy vulnerability in Apache Shiro.
This issue affects Apache Shiro: from 1.*, 2.* before 2.0.7.
Users are recommended to upgrade to version 2.0.7 or later, which fixes the issue.
Prior to Shiro 2.0.7, code paths for non-existent vs. existing users are different enough, that a brute-force attack may be able to tell, by timing the requests only, determine if the request failed because of a non-existent user vs. wrong password.
The most likely attack vector is a local attack only. Shiro security model https://shiro.apache.org/security-model.html#username_enumeration discusses this as well.
Typically, brute force attack can be mitigated at the infrastructure level.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.shiro:shiro-coreMaven | < 2.1.0 | 2.1.0 |
Affected products
7- osv-coords6 versionspkg:apk/chainguard/apache-jena-fusekipkg:apk/chainguard/neo4j-2026.01pkg:apk/chainguard/neo4j-5.26pkg:apk/wolfi/neo4j-2026.01pkg:apk/wolfi/neo4j-5.26pkg:maven/org.apache.shiro/shiro-core
< 6.0.0-r2+ 5 more
- (no CPE)range: < 6.0.0-r2
- (no CPE)range: < 2026.01.4-r0
- (no CPE)range: < 5.26.21-r2
- (no CPE)range: < 2026.01.4-r0
- (no CPE)range: < 5.26.21-r2
- (no CPE)range: < 2.1.0
- Apache Software Foundation/Apache Shirov5Range: 0
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-c4qc-4q9p-m9q9ghsaADVISORY
- lists.apache.org/thread/mm1jct9b86jvnh3y44tj22xvjtx3xhhhghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-23901ghsaADVISORY
- www.openwall.com/lists/oss-security/2026/02/08/2ghsaWEB
News mentions
0No linked articles in our index yet.