Apache Shiro Bypass via shiro-guice in web (2.x, 3.0.0-alpha) upgrade 3.0.0
CVE-2026-56091 Published on June 25, 2026
Apache Shiro: Authentication bypass in Guice-Web integration
When using Apache Shiro with the shiro-guice module in a web servlet context, a specially crafted HTTP request may cause an authentication bypass.
This vulnerability is similar to https://www.cve.org/CVERecord?id=CVE-2020-1957 https://www.cve.org/CVERecord , except that it affects the `shiro-guice` module instead of the `shiro-spring` module.
This issue affects all Apache Shiro versions through 2.x, and 3.0.0-alpha-1 only when using `shiro-guice` module in a web servlet context.
Upgrade to version 3.0.0 or later, which fixes the issue.
Weakness Type
Authentication Bypass by Alternate Name
The software performs authentication based on the name of a resource being accessed, or the name of the actor performing the access, but it does not properly check all possible names for that resource or actor.
Products Associated with CVE-2026-56091
Want to know whenever a new CVE is published for Apache Shiro? stack.watch will email you.
Affected Versions
Apache Software Foundation Apache Shiro:- Before and including 2.99.99 is affected.
- Version 3.0.0-alpha-0, <= 3.0.0-alpha-1 is affected.