Hi, Roberto, CVEs are in the process or being published, and are not available yet. Please see https://shiro.apache.org/security-reports.html for the description of the vulnerabilities, as it has the same information as the CVE themselves. The below email has most of the information needed
> On Feb 9, 2026, at 1:40 AM, Roberto Bottoni <[email protected]> wrote: > > Hi, > > Where can I find the instructions to check whether my systems are affected by > this? > > I opened the link: https://www.cve.org/CVERecord?id=CVE-2026-23901 but I > can’t find anything. > > thanks. > Roberto. > > Il 08-02-2026 17:30 Lenny Primak ha scritto: >> Severity: low >> Affected versions: >> - Apache Shiro (org.apache.shiro:shiro-core) before 2.0.7 >> Description: >> Observable Timing Discrepancy vulnerability in Apache Shiro. >> This issue affects Apache Shiro: from 1.*, 2.* before 2.0.7. >> Users are recommended to upgrade to version 2.0.7 or later, which >> fixes the issue. >> Prior to Shiro 2.0.7, code paths for non-existent vs. existing users >> are different enough, >> that a brute-force attack may be able to tell, by timing the requests >> only, determine if >> the request failed because of a non-existent user vs. wrong password. >> The most likely attack vector is a local attack only. >> Shiro security model >> https://shiro.apache.org/security-model.html#username_enumeration >> discusses this as well. >> Typically, brute force attack can be mitigated at the infrastructure level. >> Credit: >> 4ra1n (finder) >> Y4tacker (finder) >> lprimak (remediation developer) >> References: >> https://shiro.apache.org/ >> https://www.cve.org/CVERecord?id=CVE-2026-23901 >
