CVE-2026-23901
LowVulnerability Description
Observable Timing Discrepancy vulnerability in Apache Shiro.
This issue affects Apache Shiro: from 1.*, 2.* before 2.0.7.
Users are recommended to upgrade to version 2.0.7 or later, which fixes the issue.
Prior to Shiro 2.0.7, code paths for non-existent vs. existing users are different enough,
that a brute-force attack may be able to tell, by timing the requests only, determine if
the request failed because of a non-existent user vs. wrong password.
The most likely attack vector is a local attack only.
Shiro security model https://shiro.apache.org/security-model.html#username_enumeration discusses this as well.
Typically, brute force attack can be mitigated at the infrastructure level.
CVSS Metrics
Common Vulnerability Scoring System
Vector String:
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
Known Affected Software
31 configuration(s) from 1 vendor(s)
cpe:2.3:a:apache:shiro:1.9.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:shiro:1.12.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:shiro:1.9.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:shiro:1.2.5:*:*:*:*:*:*:*
cpe:2.3:a:apache:shiro:1.4.2:*:*:*:*:*:*:*
cpe:2.3:a:apache:shiro:1.2.2:*:*:*:*:*:*:*
cpe:2.3:a:apache:shiro:1.2.6:*:*:*:*:*:*:*
cpe:2.3:a:apache:shiro:1.3.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:shiro:1.7.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:shiro:1.2.4:*:*:*:*:*:*:*
cpe:2.3:a:apache:shiro:1.5.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:shiro:1.5.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:shiro:1.6.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:shiro:1.2.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:shiro:1.3.2:*:*:*:*:*:*:*
cpe:2.3:a:apache:shiro:1.0.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:shiro:1.8.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:shiro:1.4.0:-:*:*:*:*:*:*
cpe:2.3:a:apache:shiro:1.2.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:shiro:1.2.3:*:*:*:*:*:*:*
cpe:2.3:a:apache:shiro:1.10.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:shiro:2.0.0:alpha3:*:*:*:*:*:*
cpe:2.3:a:apache:shiro:1.13.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:shiro:1.5.3:*:*:*:*:*:*:*
cpe:2.3:a:apache:shiro:1.4.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:shiro:1.10.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:shiro:1.7.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:shiro:1.11.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:shiro:1.1.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:shiro:1.5.2:*:*:*:*:*:*:*
cpe:2.3:a:apache:shiro:1.3.1:*:*:*:*:*:*:*
CPUAPR2026
Oracle Critical Patch Update Advisory - April 2026
Severity Details
Weakness Type (CWE)
Observable Timing Discrepancy
- Description
- Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful…
- Typical Severity
- Medium
- Abstraction Level
- Base
Key Information
- Published Date
- February 10, 2026
