This page lists publicly disclosed CVE vulnerabilities affecting apache shiro (linked via NVD CPE). Each row includes severity scores, summaries, and publication dates to help identify and analyze security issues.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2026-48589 | Apache Shiro’s Jakarta EE module used the HTTP Referer header in certain cases to issue redirect after a user login. In affected versions, insufficient validation of this client-controlled value could allow an attacker to influence the redirect target in applications using the Jakarta EE module. This issue affects Apache Shiro from 2.0-alpha to 2.2.0, and 3.0.0-alpha-1, only when using shiro-jakarta-ee integration module. | [email protected] | 0.0 | 0.08% | 2026-05-25 | 2026-05-28 |
| CVE-2026-44598 | With valid login credentials, URL Redirection to Untrusted Site ('Open Redirect'), Server-Side Request Forgery (SSRF) vulnerability in Apache Shiro. This issue affects Apache Shiro from 2.0-alpha to 2.1.0, and 3.0.0-alpha-1, only when using shiro-jakarta-ee integration module. Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue by encrypting the cookie. After successful login, Jakarta EE integration module uses shiroSavedRequest cookie to red | [email protected] | 5.1 | 0.12% | 2026-05-25 | 2026-05-28 |
| CVE-2026-43828 | Default configurations of Apache Shiro send sensitive cookies in HTTPS session without 'Secure' attribute. This issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1. Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue. In the affected versions, Shiro-native session manager, as well as Remember-Me manager sends JSESSIONID and rememberMe cookies without 'secure' attribute by default. | [email protected] | 5.9 | 0.03% | 2026-05-25 | 2026-05-28 |
| CVE-2026-43827 | Default configurations of Apache Shiro have a session fixation vulnerability. This issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1. Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue. In the affected versions, when a session already exists, it is not invalidated upon successful login, nor is a new session being generated with a new ID. | [email protected] | 5.9 | 0.06% | 2026-05-25 | 2026-05-28 |
| CVE-2026-23901 | Observable Timing Discrepancy vulnerability in Apache Shiro. This issue affects Apache Shiro: from 1.*, 2.* before 2.0.7. Users are recommended to upgrade to version 2.0.7 or later, which fixes the issue. Prior to Shiro 2.0.7, code paths for non-existent vs. existing users are different enough, that a brute-force attack may be able to tell, by timing the requests only, determine if the request failed because of a non-existent user vs. wrong password. The most likely attack vector is a local | [email protected] | 1.0 | 0.01% | 2026-02-10 | 2026-02-12 |
| CVE-2026-23903 | Authentication Bypass by Alternate Name vulnerability in Apache Shiro. This issue affects Apache Shiro: before 2.0.7. Users are recommended to upgrade to version 2.0.7, which fixes the issue. The issue only effects static files. If static files are served from a case-insensitive filesystem, such as default macOS setup, static files may be accessed by varying the case of the filename in the request. If only lower-case (common default) filters are present in Shiro, they may be bypassed this way | [email protected] | 5.3 | 0.06% | 2026-02-09 | 2026-02-11 |
| CVE-2023-46749 | Apache Shiro before 1.13.0 or 2.0.0-alpha-4, may be susceptible to a path traversal attack that results in an authentication bypass when used together with path rewriting Mitigation: Update to Apache Shiro 1.13.0+ or 2.0.0-alpha-4+, or ensure `blockSemicolon` is enabled (this is the default). | [email protected] | 6.5 | 0.18% | 2024-01-15 | 2025-11-03 |
| CVE-2023-46750 | URL Redirection to Untrusted Site ('Open Redirect') vulnerability when "form" authentication is used in Apache Shiro. Mitigation: Update to Apache Shiro 1.13.0+ or 2.0.0-alpha-4+. | [email protected] | 6.1 | 0.20% | 2023-12-14 | 2025-11-03 |
| CVE-2023-34478 | Apache Shiro, before 1.12.0 or 2.0.0-alpha-3, may be susceptible to a path traversal attack that results in an authentication bypass when used together with APIs or other web frameworks that route requests based on non-normalized requests. Mitigation: Update to Apache Shiro 1.12.0+ or 2.0.0-alpha-3+ | [email protected] | 9.8 | 0.05% | 2023-07-24 | 2025-02-13 |
| CVE-2023-22602 | When using Apache Shiro before 1.11.0 together with Spring Boot 2.6+, a specially crafted HTTP request may cause an authentication bypass. The authentication bypass occurs when Shiro and Spring Boot are using different pattern-matching techniques. Both Shiro and Spring Boot < 2.6 default to Ant style pattern matching. Mitigation: Update to Apache Shiro 1.11.0, or set the following Spring Boot configuration value: `spring.mvc.pathmatch.matching-strategy = ant_path_matcher` | [email protected] | 7.5 | 0.15% | 2023-01-14 | 2024-11-21 |
| CVE-2022-40664 | Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher. | [email protected] | 9.8 | 0.65% | 2022-10-12 | 2025-05-15 |
| CVE-2022-32532 | Apache Shiro before 1.9.1, A RegexRequestMatcher can be misconfigured to be bypassed on some servlet containers. Applications using RegExPatternMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass. | [email protected] | 9.8 | 81.94% | 2022-06-29 | 2024-11-21 |
| CVE-2021-41303 | Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass. Users should update to Apache Shiro 1.8.0. | [email protected] | 9.8 | 49.29% | 2021-09-17 | 2024-11-21 |
| CVE-2020-17523 | Apache Shiro before 1.7.1, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass. | [email protected] | 9.8 | 88.77% | 2021-02-03 | 2024-11-21 |
| CVE-2020-17510 | Apache Shiro before 1.7.0, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass. | [email protected] | 9.8 | 1.80% | 2020-11-05 | 2024-11-21 |
| CVE-2020-13933 | Apache Shiro before 1.6.0, when using Apache Shiro, a specially crafted HTTP request may cause an authentication bypass. | [email protected] | 7.5 | 80.93% | 2020-08-17 | 2024-11-21 |
| CVE-2020-11989 | Apache Shiro before 1.5.3, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass. | [email protected] | 9.8 | 84.74% | 2020-06-22 | 2024-11-21 |
| CVE-2020-1957 | Apache Shiro before 1.5.2, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass. | [email protected] | 9.8 | 88.60% | 2020-03-25 | 2024-11-21 |
| CVE-2019-12422 | Apache Shiro before 1.4.2, when using the default "remember me" configuration, cookies could be susceptible to a padding attack. | [email protected] | 7.5 | 54.90% | 2019-11-18 | 2024-11-21 |
| CVE-2016-6802 | Apache Shiro before 1.3.2 allows attackers to bypass intended servlet filters and gain access by leveraging use of a non-root servlet context path. | [email protected] | 7.5 | 13.51% | 2016-09-20 | 2026-05-06 |