Vulnerability Description
Observable Timing Discrepancy vulnerability in Apache Shiro. This issue affects Apache Shiro: from 1.*, 2.* before 2.0.7. Users are recommended to upgrade to version 2.0.7 or later, which fixes the issue. Prior to Shiro 2.0.7, code paths for non-existent vs. existing users are different enough, that a brute-force attack may be able to tell, by timing the requests only, determine if the request failed because of a non-existent user vs. wrong password. The most likely attack vector is a local attack only. Shiro security model https://shiro.apache.org/security-model.html#username_enumeration discusses this as well. Typically, brute force attack can be mitigated at the infrastructure level.
CVSS Score
LOW
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Shiro | < 2.0.7 |
Related Weaknesses (CWE)
References
- https://lists.apache.org/thread/mm1jct9b86jvnh3y44tj22xvjtx3xhhhIssue TrackingThird Party AdvisoryMailing List
- http://www.openwall.com/lists/oss-security/2026/02/08/2Mailing ListThird Party Advisory
FAQ
What is CVE-2026-23901?
CVE-2026-23901 is a vulnerability with a CVSS score of 2.5 (LOW). Observable Timing Discrepancy vulnerability in Apache Shiro. This issue affects Apache Shiro: from 1.*, 2.* before 2.0.7. Users are recommended to upgrade to version 2.0.7 or later, which fixes the ...
How severe is CVE-2026-23901?
CVE-2026-23901 has been rated LOW with a CVSS base score of 2.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-23901?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Shiro.