Observable Timing Discrepancy in Apache Shiro by Apache Software Foundation
CVE-2026-23901

1LOW

Key Information:

Vendor: Apache
Status: Apache Shiro
Vendor: CVE Published:; 10 February 2026

What is CVE-2026-23901?

The vulnerability in Apache Shiro allows attackers to exploit timing discrepancies between requests for existing and non-existent users. Attackers can leverage this information to conduct brute-force attacks more effectively. This issue is primarily a local attack risk, as it enables the determination of whether a username is valid based solely on the timing of responses. Users are advised to upgrade to version 2.0.7 or later to mitigate this vulnerability and strengthen their security.

Affected Version(s)

Apache Shiro 0 < 2.0.7

References

https://lists.apache.org/thread/mm1jct9b86jvnh3y44tj22xvj...

vendor-advisory

CVSS V4

Score:

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

None

Attack Vector:

Local

Attack Complexity:

High

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 10, 2026
Vulnerability Reserved
Jan 17, 2026

Credit

4ra1n

Y4tacker

lprimak

CVE-2026-23901 Data

JSON