CVE-2026-23903 – This CVE describes an authentication bypass vul... (How to Fix)

Q: What is the severity of CVE-2026-23903?

CVE-2026-23903 has a CVSS score of 5.3 (MEDIUM). This CVE describes an authentication bypass vulnerability in Apache Shiro where attackers can access protected static files by changing the case of filenames in requests. It affects Apache Shiro versions before 2.0.7 when deployed on case-insensitive filesystems like macOS defaults. The vulnerability allows unauthorized access to files that should be protected by Shiro's security filters.

📋 TL;DR

This CVE describes an authentication bypass vulnerability in Apache Shiro where attackers can access protected static files by changing the case of filenames in requests. It affects Apache Shiro versions before 2.0.7 when deployed on case-insensitive filesystems like macOS defaults. The vulnerability allows unauthorized access to files that should be protected by Shiro's security filters.

💻 Affected Systems

Products:

Apache Shiro

Versions: All versions before 2.0.7

Operating Systems: macOS (default configuration), Windows, Any OS with case-insensitive filesystem configuration

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects static files served through Shiro. Requires case-insensitive filesystem and lower-case-only filter configurations.

📦 What is this software?

Shiro by Apache

View all CVEs affecting Shiro →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain unauthorized access to sensitive static files containing credentials, configuration data, or proprietary information, potentially leading to full system compromise.

🟠

Likely Case

Unauthorized access to static files that should be protected, potentially exposing sensitive application resources or configuration files.

🟢

If Mitigated

No impact when proper case-insensitive filtering is enabled or when deployed on case-sensitive filesystems.

🌐 Internet-Facing: MEDIUM - Exploitation requires specific conditions (case-insensitive filesystem) and knowledge of protected static file names.

🏢 Internal Only: LOW - Internal attackers would need specific knowledge of protected static files and access to the application.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation is straightforward - simply change case of filename in HTTP requests. No authentication required.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.0.7

Vendor Advisory: https://lists.apache.org/thread/5jjf0hnjcol58z2m5y255c7scz1lnp8k

Restart Required: Yes

Instructions:

1. Upgrade Apache Shiro to version 2.0.7 or later. 2. For Shiro 2.0.7, enable case-insensitive filtering by adding 'shiro.caseInsensitive=true' to application.properties or 'filterChainResolver.caseInsensitive = true' to shiro.ini. 3. Restart the application.

🔧 Temporary Workarounds

Enable case-insensitive filtering

all

Configure Shiro to use case-insensitive path matching for static files

Add to shiro.ini: filterChainResolver.caseInsensitive = true
Add to application.properties: shiro.caseInsensitive=true

Use case-sensitive filesystem

all

Deploy application on case-sensitive filesystem

Format filesystem as case-sensitive (e.g., APFS case-sensitive on macOS)

🧯 If You Can't Patch

Deploy on case-sensitive filesystem to prevent exploitation
Implement web application firewall rules to block requests with mixed-case static file paths

🔍 How to Verify

Check if Vulnerable:

Check if Apache Shiro version is below 2.0.7 and application serves static files on case-insensitive filesystem with only lower-case filters configured.

Check Version:

Check pom.xml for Maven: <version>2.0.7</version> or check application dependencies

Verify Fix Applied:

1. Verify Shiro version is 2.0.7 or higher. 2. Confirm caseInsensitive=true is set in configuration. 3. Test that static files cannot be accessed with different case variations.

📡 Detection & Monitoring

Log Indicators:

HTTP requests for static files with mixed-case filenames
Access to protected static files without authentication

Network Indicators:

HTTP requests with case variations of known static file paths
Unusual access patterns to static resources

SIEM Query:

http.request.uri contains "." AND http.request.uri matches /[A-Z]/ AND http.response.status = 200

📊 Metadata

CVE ID: CVE-2026-23903

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-289

EPSS Score: 0.1% exploit probability (27.8th percentile)

Published: February 9, 2026

Last Updated: February 11, 2026

🔗 References

https://lists.apache.org/thread/5jjf0hnjcol58z2m5y255c7scz1lnp8k Mailing List,Vendor Advisory
http://www.openwall.com/lists/oss-security/2026/02/08/1 Mailing List,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-23903, you might also want to check these: