Authentication Bypass in Apache Shiro with shiro-guice Module
CVE-2026-56091

8.2HIGH

Key Information:

Vendor: Apache
Status: Apache Shiro
Vendor: CVE Published:; 25 June 2026

What is CVE-2026-56091?

An authentication bypass vulnerability exists in Apache Shiro when utilizing the shiro-guice module in a web servlet context. A specially crafted HTTP request can exploit this weakness, leading to unauthorized access. This issue affects all versions of Apache Shiro up through 2.x, as well as version 3.0.0-alpha-1 when the shiro-guice module is deployed within a web servlet context. To mitigate this vulnerability, users are advised to upgrade to version 3.0.0 or later, where the issue has been resolved.

Affected Version(s)

Apache Shiro 0 <= 2.99.99

Apache Shiro 3.0.0-alpha-0 <= 3.0.0-alpha-1

References

https://lists.apache.org/thread/onmtxmy2qonbpx7xlw3o34x8s...

vendor-advisory

CVSS V4

Score:

8.2

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 25, 2026
Vulnerability Reserved
Jun 18, 2026

Credit

LocalHost <localhost.detect@gmail.com>

Lenny Primak <lenny@flowlogix.com>

CVE-2026-56091 Data

JSON