{"id":"CVE-2026-23901","details":"Observable Timing Discrepancy vulnerability in Apache Shiro.\n\nThis issue affects Apache Shiro: from 1.*, 2.* before 2.0.7.\n\nUsers are recommended to upgrade to version 2.0.7 or later, which fixes the issue.\n\nPrior to Shiro 2.0.7, code paths for non-existent vs. existing users are different enough,\nthat a brute-force attack may be able to tell, by timing the requests only, determine if\nthe request failed because of a non-existent user vs. wrong password.\n\nThe most likely attack vector is a local attack only.\nShiro security model  https://shiro.apache.org/security-model.html#username_enumeration  discusses this as well.\n\nTypically, brute force attack can be mitigated at the infrastructure level.","aliases":["GHSA-c4qc-4q9p-m9q9"],"modified":"2026-03-13T04:09:37.721434Z","published":"2026-02-10T10:15:59.240Z","related":["CGA-w72g-hfhx-xp4f"],"references":[{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2026/02/08/2"},{"type":"REPORT","url":"https://lists.apache.org/thread/mm1jct9b86jvnh3y44tj22xvjtx3xhhh"}],"affected":[{"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"fixed":"2.0.7"}]},{"events":[{"introduced":"0"},{"fixed":"2.0.7"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-23901.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N"}]}