Apache Shiro

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in Apache Shiro.

Known Exploited Apache Shiro Vulnerabilities

The following Apache Shiro vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.

Title	Description	Added
Apache Shiro 1.2.4 Cookie RememberME Deserial Remote Code Execution Vulnerability	Apache Shiro before 1.2.5, when a cipher key has not been configured for the "remember me" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter. CVE-2016-4437 Exploit Probability: 94.1%	November 3, 2021

The vulnerability CVE-2016-4437: Apache Shiro 1.2.4 Cookie RememberME Deserial Remote Code Execution Vulnerability is in the top 1% of the currently known exploitable vulnerabilities.

By the Year

In 2026 there have been 2 vulnerabilities in Apache Shiro with an average score of 5.3 out of ten. Shiro did not have any published security vulnerabilities last year. That is, 2 more vulnerabilities have already been reported in 2026 as compared to last year.

Year	Vulnerabilities	Average Score
2026	2	5.30
2025	0	0.00
2024	1	6.50
2023	3	7.33
2022	3	9.03
2021	2	9.80
2020	4	8.65
2019	1	0.00

It may take a day or so for new Shiro vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Apache Shiro Security Vulnerabilities

Apache Shiro 1.x/2.x Timing Attack (user enumeration) 2.0.7 fixes
CVE-2026-23901 - February 10, 2026

Observable Timing Discrepancy vulnerability in Apache Shiro. This issue affects Apache Shiro: from 1.*, 2.* before 2.0.7. Users are recommended to upgrade to version 2.0.7 or later, which fixes the issue. Prior to Shiro 2.0.7, code paths for non-existent vs. existing users are different enough, that a brute-force attack may be able to tell, by timing the requests only, determine if the request failed because of a non-existent user vs. wrong password. The most likely attack vector is a local attack only. Shiro security model https://shiro.apache.org/security-model.html#username_enumeration discusses this as well. Typically, brute force attack can be mitigated at the infrastructure level.

Observable Timing Discrepancy

Apache Shiro case-insensitive static file auth bypass (<=2.0.6)
CVE-2026-23903 5.3 - Medium - February 09, 2026

Authentication Bypass by Alternate Name vulnerability in Apache Shiro. This issue affects Apache Shiro: before 2.0.7. Users are recommended to upgrade to version 2.0.7, which fixes the issue. The issue only effects static files. If static files are served from a case-insensitive filesystem, such as default macOS setup, static files may be accessed by varying the case of the filename in the request. If only lower-case (common default) filters are present in Shiro, they may be bypassed this way. Shiro 2.0.7 and later has a new parameters to remediate this issue shiro.ini: filterChainResolver.caseInsensitive = true application.propertie: shiro.caseInsensitive=true Shiro 3.0.0 and later (upcoming) makes this the default.

Authentication Bypass by Alternate Name

Apache Shiro <1.13.0 Auth Bypass via Path Traversal with Rewriter
CVE-2023-46749 6.5 - Medium - January 15, 2024

Apache Shiro before 1.13.0 or 2.0.0-alpha-4, may be susceptible to a path traversal attack that results in an authentication bypass when used together with path rewriting Mitigation: Update to Apache Shiro 1.13.0+ or 2.0.0-alpha-4+, or ensure `blockSemicolon` is enabled (this is the default).

Directory traversal

Apache Shiro <1.13.0 Open Redirect via Form Auth
CVE-2023-46750 4.7 - Medium - December 14, 2023

URL Redirection to Untrusted Site ('Open Redirect') vulnerability when "form" authentication is used in Apache Shiro. Mitigation: Update to Apache Shiro 1.13.0+ or 2.0.0-alpha-4+.

Open Redirect

Apache Shiro Path Traversal Auth Bypass (v<1.12.0 / 2.0.0-alpha-3)
CVE-2023-34478 9.8 - Critical - July 24, 2023

Apache Shiro, before 1.12.0 or 2.0.0-alpha-3, may be susceptible to a path traversal attack that results in an authentication bypass when used together with APIs or other web frameworks that route requests based on non-normalized requests. Mitigation: Update to Apache Shiro 1.12.0+ or 2.0.0-alpha-3+

Directory traversal

Auth Bypass in Apache Shiro <1.11.0 via Spring Boot 2.6+ Pathmatch
CVE-2023-22602 7.5 - High - January 14, 2023

When using Apache Shiro before 1.11.0 together with Spring Boot 2.6+, a specially crafted HTTP request may cause an authentication bypass. The authentication bypass occurs when Shiro and Spring Boot are using different pattern-matching techniques. Both Shiro and Spring Boot < 2.6 default to Ant style pattern matching. Mitigation: Update to Apache Shiro 1.11.0, or set the following Spring Boot configuration value: `spring.mvc.pathmatch.matching-strategy = ant_path_matcher`

Interpretation Conflict

Apache Shiro Timing Side-Channel in Token Validation (HMAC)
CVE-2015-10004 7.5 - High - December 27, 2022

Token validation methods are susceptible to a timing side-channel during HMAC comparison. With a large enough number of requests over a low latency connection, an attacker may use this to determine the expected HMAC.

Exposure of Resource to Wrong Sphere

Authentication Bypass in Apache Shiro <1.10 via RequestDispatcher
CVE-2022-40664 9.8 - Critical - October 12, 2022

Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher.

authentification

Apache Shiro before 1.9.1, A RegexRequestMatcher can be misconfigured to be bypassed on some servlet containers
CVE-2022-32532 9.8 - Critical - June 29, 2022

Apache Shiro before 1.9.1, A RegexRequestMatcher can be misconfigured to be bypassed on some servlet containers. Applications using RegExPatternMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass.

AuthZ

Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass
CVE-2021-41303 9.8 - Critical - September 17, 2021

Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass. Users should update to Apache Shiro 1.8.0.

Apache Shiro before 1.7.1
CVE-2020-17523 - February 03, 2021

Apache Shiro before 1.7.1, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass.

Apache Shiro before 1.7.0
CVE-2020-17510 - November 05, 2020

Apache Shiro before 1.7.0, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass.

Apache Shiro before 1.6.0
CVE-2020-13933 7.5 - High - August 17, 2020

Apache Shiro before 1.6.0, when using Apache Shiro, a specially crafted HTTP request may cause an authentication bypass.

Apache Shiro before 1.5.3
CVE-2020-11989 - June 22, 2020

Apache Shiro before 1.5.3, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.

Apache Shiro before 1.5.2
CVE-2020-1957 9.8 - Critical - March 25, 2020

Apache Shiro before 1.5.2, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.

Apache Shiro before 1.4.2
CVE-2019-12422 - November 18, 2019

Apache Shiro before 1.4.2, when using the default "remember me" configuration, cookies could be susceptible to a padding attack.

Apache Shiro before 1.2.5, when a cipher key has not been configured for the "remember me" feature
CVE-2016-4437 9.8 - Critical - June 07, 2016

Apache Shiro before 1.2.5, when a cipher key has not been configured for the "remember me" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter.

Use of Hard-coded Cryptographic Key

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for Apache Shiro or by Apache? Click the Watch button to subscribe.

Apache
Vendor

Apache Shiro
Product

Apache Shiro

Don't miss out!

Known Exploited Apache Shiro Vulnerabilities

By the Year

Recent Apache Shiro Security Vulnerabilities

Apache Shiro 1.x/2.x Timing Attack (user enumeration) 2.0.7 fixes CVE-2026-23901 - February 10, 2026

Apache Shiro case-insensitive static file auth bypass (<=2.0.6) CVE-2026-23903 5.3 - Medium - February 09, 2026

Apache Shiro <1.13.0 Auth Bypass via Path Traversal with Rewriter CVE-2023-46749 6.5 - Medium - January 15, 2024

Apache Shiro <1.13.0 Open Redirect via Form Auth CVE-2023-46750 4.7 - Medium - December 14, 2023

Apache Shiro Path Traversal Auth Bypass (v<1.12.0 / 2.0.0-alpha-3) CVE-2023-34478 9.8 - Critical - July 24, 2023

Auth Bypass in Apache Shiro <1.11.0 via Spring Boot 2.6+ Pathmatch CVE-2023-22602 7.5 - High - January 14, 2023

Apache Shiro Timing Side-Channel in Token Validation (HMAC) CVE-2015-10004 7.5 - High - December 27, 2022

Authentication Bypass in Apache Shiro <1.10 via RequestDispatcher CVE-2022-40664 9.8 - Critical - October 12, 2022

Apache Shiro before 1.9.1, A RegexRequestMatcher can be misconfigured to be bypassed on some servlet containers CVE-2022-32532 9.8 - Critical - June 29, 2022

Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass CVE-2021-41303 9.8 - Critical - September 17, 2021

Apache Shiro before 1.7.1 CVE-2020-17523 - February 03, 2021

Apache Shiro before 1.7.0 CVE-2020-17510 - November 05, 2020

Apache Shiro before 1.6.0 CVE-2020-13933 7.5 - High - August 17, 2020

Apache Shiro before 1.5.3 CVE-2020-11989 - June 22, 2020

Apache Shiro before 1.5.2 CVE-2020-1957 9.8 - Critical - March 25, 2020

Apache Shiro before 1.4.2 CVE-2019-12422 - November 18, 2019

Apache Shiro before 1.2.5, when a cipher key has not been configured for the "remember me" feature CVE-2016-4437 9.8 - Critical - June 07, 2016