LDAP DN Injection in Apache Shiro 2.2.0 DefaultLdapRealm
CVE-2026-49268 Published on June 17, 2026
Apache Shiro: LDAP DN Injection in DefaultLdapRealm
A remote attacker can inject LDAP special characters into the Distinguished Name (DN) construction in DefaultLdapRealm class. User-supplied username input is directly concatenated into the LDAP DN template without any escaping of RFC 2253 special characters. This allows an attacker to manipulate the DN structure used for LDAP bind authentication, potentially bypassing authentication or impersonating other users.
This issue affects all Apache Shiro versions through 2.2.0, and 3.0.0-alpha-1 when using DefaultLdapRealm
Upgrade to Apache Shiro 2.2.1 or 3.0.0-alpha-2 or later, which fixes the issue.
Weakness Type
What is a LDAP Injection Vulnerability?
The software constructs all or part of an LDAP query using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended LDAP query when it is sent to a downstream component.
CVE-2026-49268 has been classified to as a LDAP Injection vulnerability or weakness.
Products Associated with CVE-2026-49268
Want to know whenever a new CVE is published for Apache Shiro? stack.watch will email you.
Affected Versions
Apache Software Foundation Apache Shiro:- Before and including 2.2.0 is affected.
- Version 3.0.0-alpha-0, <= 3.0.0-alpha-1 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.