Apache Shiro: Brute force attack possible to determine valid user names
Description
Observable Timing Discrepancy vulnerability in Apache Shiro.
This issue affects Apache Shiro: from 1.*, 2.* before 2.0.7.
Users are recommended to upgrade to version 2.0.7 or later, which fixes the issue.
Prior to Shiro 2.0.7, code paths for non-existent vs. existing users are different enough, that a brute-force attack may be able to tell, by timing the requests only, determine if the request failed because of a non-existent user vs. wrong password.
The most likely attack vector is a local attack only. Shiro security model https://shiro.apache.org/security-model.html#username_enumeration discusses this as well.
Typically, brute force attack can be mitigated at the infrastructure level.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Shiro before 2.0.7 has an observable timing discrepancy that allows local attackers to enumerate valid usernames via brute-force timing analysis.
Vulnerability
Overview
CVE-2026-23901 is an observable timing discrepancy vulnerability in Apache Shiro, a Java security framework. The issue affects all versions from 1.* and 2.* prior to 2.0.7. The root cause is that the authentication code paths for non-existent users versus existing users with wrong passwords differ enough in execution time that an attacker can distinguish between the two scenarios by measuring response times [1][2].\.
Exploitation
The attack vector is primarily local, meaning an attacker must be able to send authentication requests and measure their timing with sufficient precision. No special privileges are required authentication is needed to exploit the timing leak, as the discrepancy occurs during the initial login attempt. The vulnerability enables a brute-force attack to determine whether a given username exists on the system, which is a form of username enumeration [2\.
Impact
By exploiting the timing difference, an attacker can build a list of valid usernames. This information can then be used to focus password guessing attacks on known accounts, increasing the efficiency of brute-force or credential-stuffing attempts. While the severity is considered low, username enumeration can weaken other security controls [2\.
Mitigation
The fix is included in Apache Shiro version 2.0.7 and later. Users are strongly recommended to upgrade to the latest version. As a general mitigation, brute-force attacks can also be limited at the infrastructure level, for example by rate-limiting login attempts or using CAPTCHAs [1\.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.shiro:shiro-coreMaven | < 2.1.0 | 2.1.0 |
Affected products
2- Apache Software Foundation/Apache Shirov5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-c4qc-4q9p-m9q9ghsaADVISORY
- lists.apache.org/thread/mm1jct9b86jvnh3y44tj22xvjtx3xhhhghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-23901ghsaADVISORY
- www.openwall.com/lists/oss-security/2026/02/08/2ghsaWEB
News mentions
0No linked articles in our index yet.