GHSA-c244-p6m5-vqj6

Source

https://github.com/advisories/GHSA-c244-p6m5-vqj6

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-c244-p6m5-vqj6/GHSA-c244-p6m5-vqj6.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-c244-p6m5-vqj6

Aliases

CVE-2026-23903

Published

2026-02-09T12:30:22Z

Modified

2026-02-11T20:11:27.436254Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

Apache Shiro has an Authentication Bypass

Details

Impact

Authentication Bypass: A vulnerability exists in Apache Shiro that allows authentication bypass for static files when served from a case-insensitive filesystem (such as the default configuration on macOS or Windows).

The issue arises when Shiro's URL filters are configured with lower-case rules (a common default), but the underlying operating system treats mixed-case filenames as identical. An attacker can access protected static resources by varying the capitalization of the filename in the request (e.g., requesting /SECRET.TXT to bypass a rule for /secret.txt).

This issue specifically affects static file handling and does not impact dynamic resource paths that are case-sensitive.

Patches

Users should upgrade to Apache Shiro 2.1.0 or later.

Important Configuration Note: Version 2.1.0 introduces a new configuration parameter to handle case-insensitivity, which must be enabled manually to resolve the issue:

shiro.ini:

filterChainResolver.caseInsensitive = true

Spring Boot (application.properties):
```
shiro.caseInsensitive=true
```

Note: Apache Shiro 3.0.0 (upcoming) will enable this setting by default.

Workarounds

Ensure that the filesystem hosting the application is case-sensitive (e.g., Linux/Unix).
Manually configure all Shiro filter chains to handle all possible case variations of protected filenames (not recommended due to complexity).

Resources

Database specific

{
    "nvd_published_at": "2026-02-09T10:15:57Z",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-289"
    ],
    "github_reviewed_at": "2026-02-11T19:48:43Z",
    "severity": "MODERATE"
}

References

Affected packages

Maven / org.apache.shiro:shiro-spring

Package

Name: org.apache.shiro:shiro-spring; View open source insights on deps.dev
Purl: pkg:maven/org.apache.shiro/shiro-spring

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.1.0

Affected versions

1.*

1.0.0-incubating

1.1.0

1.2.0

1.2.1

1.2.2

1.2.3

1.2.4

1.2.5

1.2.6

1.3.0

1.3.1

1.3.2

1.4.0-RC2

1.4.0

1.4.1

1.4.2

1.5.0

1.5.1

1.5.2

1.5.3

1.6.0

1.7.0

1.7.1

1.8.0

1.9.0

1.9.1

1.10.0

1.10.1

1.11.0

1.12.0

1.13.0

2.*

2.0.0-alpha-1

2.0.0-alpha-2

2.0.0-alpha-3

2.0.0-alpha-4

2.0.0

2.0.1

2.0.2

2.0.3

2.0.4

2.0.5

2.0.6

Database specific

last_known_affected_version_range

"<= 2.0.6"

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-c244-p6m5-vqj6/GHSA-c244-p6m5-vqj6.json"