LDAP Injection Vulnerability in Apache Shiro by Apache
CVE-2026-49268

8.8HIGH

Key Information:

Vendor: Apache
Status: Apache Shiro
Vendor: CVE Published:; 17 June 2026

What is CVE-2026-49268?

A security flaw exists in Apache Shiro's DefaultLdapRealm class, where user-supplied username input is directly concatenated into the LDAP Distinguished Name (DN) template without proper escaping of RFC 2253 special characters. This vulnerability allows a remote attacker to manipulate the DN structure during LDAP bind authentication. As a result, an attacker could potentially bypass authentication mechanisms or impersonate legitimate users. Users of all Apache Shiro versions prior to 2.2.1 and 3.0.0-alpha-2 are at risk and should upgrade immediately.

Affected Version(s)

Apache Shiro 0 <= 2.2.0

Apache Shiro 3.0.0-alpha-0 <= 3.0.0-alpha-1

References

https://lists.apache.org/thread/svszql3od8td7hn6conyj2oq7...

vendor-advisory

CVSS V4

Score:

8.8

Severity:

HIGH

Confidentiality:

Low

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 17, 2026
Vulnerability Reserved
May 28, 2026

Credit

zhaokaifei (reporter) - ChinaTelecom

Lenny Primak <lenny@flowlogix.com>

CVE-2026-49268 Data

JSON