CVE-2026-23901 – This CVE describes an observable timing discrep... (How to Fix)

Q: What is the severity of CVE-2026-23901?

CVE-2026-23901 has a CVSS score of 2.5 (LOW). This CVE describes an observable timing discrepancy vulnerability in Apache Shiro authentication. Attackers can use timing differences to distinguish between non-existent users and incorrect passwords, enabling user enumeration. This affects Apache Shiro versions 1.* and 2.* before 2.0.7.

📋 TL;DR

This CVE describes an observable timing discrepancy vulnerability in Apache Shiro authentication. Attackers can use timing differences to distinguish between non-existent users and incorrect passwords, enabling user enumeration. This affects Apache Shiro versions 1.* and 2.* before 2.0.7.

💻 Affected Systems

Products:

Apache Shiro

Versions: 1.*, 2.* before 2.0.7

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all deployments using vulnerable Shiro versions for authentication.

📦 What is this software?

Shiro by Apache

View all CVEs affecting Shiro →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could enumerate valid usernames, then perform targeted password brute-force attacks against known accounts.

🟠

Likely Case

Local attackers could identify valid user accounts, increasing efficiency of credential stuffing attacks.

🟢

If Mitigated

With proper network controls and rate limiting, impact is limited to potential user enumeration without credential compromise.

🌐 Internet-Facing: LOW

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Attack requires timing measurements but no special tools beyond standard HTTP clients.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.0.7 or later

Vendor Advisory: https://lists.apache.org/thread/mm1jct9b86jvnh3y44tj22xvjtx3xhhh

Restart Required: Yes

Instructions:

1. Download Apache Shiro 2.0.7 or later. 2. Replace existing Shiro JAR files. 3. Restart application server. 4. Verify authentication still works correctly.

🔧 Temporary Workarounds

Implement rate limiting

all

Add request rate limiting at application or infrastructure level to prevent timing-based enumeration

Add random delays

all

Implement uniform response times for all authentication attempts regardless of outcome

🧯 If You Can't Patch

Implement network-level rate limiting and monitoring for authentication attempts
Deploy WAF rules to detect and block timing-based enumeration patterns

🔍 How to Verify

Check if Vulnerable:

Check Shiro version in application dependencies or classpath. Vulnerable if version is 1.* or 2.* < 2.0.7.

Check Version:

Check Maven/Gradle dependencies or examine shiro-core-*.jar file version

Verify Fix Applied:

Verify Shiro version is 2.0.7 or later and test authentication with timing measurements shows consistent response times.

📡 Detection & Monitoring

Log Indicators:

Multiple failed authentication attempts with varying response times
Patterns of authentication attempts against non-existent users

Network Indicators:

Unusual volume of authentication requests from single source
Requests with incremental timing measurements

SIEM Query:

source="auth.log" ("authentication failed" OR "login failed") | stats count by src_ip, user | where count > threshold

📊 Metadata

CVE ID: CVE-2026-23901

CVSS v3 Score: 2.5 (LOW)

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-208

EPSS Score: 0.01% exploit probability (0.4th percentile)

Published: February 10, 2026

Last Updated: February 12, 2026

🔗 References

https://lists.apache.org/thread/mm1jct9b86jvnh3y44tj22xvjtx3xhhh Issue Tracking,Third Party Advisory,Mailing List
http://www.openwall.com/lists/oss-security/2026/02/08/2 Mailing List,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-23901, you might also want to check these: