CVE-2026-23901 in Shiro
Summary
by MITRE • 02/10/2026
Observable Timing Discrepancy vulnerability in Apache Shiro.
This issue affects Apache Shiro: from 1.*, 2.* before 2.0.7.
Users are recommended to upgrade to version 2.0.7 or later, which fixes the issue.
Prior to Shiro 2.0.7, code paths for non-existent vs. existing users are different enough, that a brute-force attack may be able to tell, by timing the requests only, determine if the request failed because of a non-existent user vs. wrong password.
The most likely attack vector is a local attack only. Shiro security model https://shiro.apache.org/security-model.html#username_enumeration discusses this as well.
Typically, brute force attack can be mitigated at the infrastructure level.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 02/12/2026
The vulnerability identified as CVE-2026-23901 represents a critical observable timing discrepancy in Apache Shiro authentication mechanisms that exposes systems to user enumeration attacks. This weakness specifically affects Apache Shiro versions 1.x and 2.x prior to 2.0.7, creating a security gap that allows attackers to distinguish between non-existent user accounts and incorrect password attempts through timing analysis alone. The flaw stems from the implementation where different code paths are executed for authentication attempts against non-existent versus existing users, creating measurable timing differences that can be exploited by malicious actors. The vulnerability directly impacts the security model of Apache Shiro as documented in the official security model documentation, which explicitly addresses username enumeration concerns and their implications for authentication systems.
The technical implementation of this vulnerability manifests through inconsistent response timing characteristics during authentication processes. When an authentication request is made, the system exhibits different execution times depending on whether the username exists in the system or not. For non-existent users, the authentication process follows one code path that may involve additional lookup operations or validation steps compared to the path taken for existing users with incorrect passwords. This timing differential, though subtle, becomes measurable through careful analysis of response times from authentication endpoints. Attackers can leverage this discrepancy to perform brute force attacks with significantly reduced complexity, as they can quickly identify valid usernames through timing-based enumeration techniques rather than relying solely on password guessing methods.
The operational impact of this vulnerability extends beyond simple credential compromise, as it fundamentally undermines the security assurances provided by the authentication system. While the attack vector is typically limited to local attacks according to security assessments, the implications remain severe for systems where such access might be gained. The vulnerability creates a scenario where attackers can systematically identify valid user accounts without triggering account lockout mechanisms, as the timing-based enumeration does not generate the same patterns that would typically trigger security monitoring systems. This weakness directly violates security principle of providing consistent response times for authentication operations, which is a fundamental requirement for preventing information leakage through timing side channels. The vulnerability is classified under CWE-203, which specifically addresses Observable Timing Discrepancy, and aligns with ATT&CK technique T1110.003 for Credential Stuffing, as it enables more efficient credential brute force attacks through user enumeration.
Mitigation strategies for this vulnerability primarily focus on software updates and architectural improvements to address the timing discrepancies in authentication responses. The recommended solution involves upgrading to Apache Shiro version 2.0.7 or later, which implements consistent timing behavior across all authentication code paths. Organizations should also consider implementing additional infrastructure-level protections such as rate limiting, account lockout mechanisms, and monitoring for unusual authentication patterns. Security teams should review their current authentication implementations to ensure that timing-based information leakage is minimized through consistent response handling and the use of constant-time comparison algorithms for password verification. Network-level protections including firewalls and intrusion detection systems can be configured to monitor for rapid authentication attempts that might indicate enumeration activities, while also ensuring that authentication services maintain consistent response times regardless of whether usernames exist in the system.