Hi,
Where can I find the instructions to check whether my systems are
affected by this?
I opened the link: https://www.cve.org/CVERecord?id=CVE-2026-23901 but I
can’t find anything.
thanks.
Roberto.
Il 08-02-2026 17:30 Lenny Primak ha scritto:
Severity: low
Affected versions:
- Apache Shiro (org.apache.shiro:shiro-core) before 2.0.7
Description:
Observable Timing Discrepancy vulnerability in Apache Shiro.
This issue affects Apache Shiro: from 1.*, 2.* before 2.0.7.
Users are recommended to upgrade to version 2.0.7 or later, which
fixes the issue.
Prior to Shiro 2.0.7, code paths for non-existent vs. existing users
are different enough,
that a brute-force attack may be able to tell, by timing the requests
only, determine if
the request failed because of a non-existent user vs. wrong password.
The most likely attack vector is a local attack only.
Shiro security model
https://shiro.apache.org/security-model.html#username_enumeration
discusses this as well.
Typically, brute force attack can be mitigated at the infrastructure
level.
Credit:
4ra1n (finder)
Y4tacker (finder)
lprimak (remediation developer)
References:
https://shiro.apache.org/
https://www.cve.org/CVERecord?id=CVE-2026-23901
