{"id":"CVE-2026-23903","details":"Authentication Bypass by Alternate Name vulnerability in Apache Shiro.\n\nThis issue affects Apache Shiro: before 2.0.7.\n\nUsers are recommended to upgrade to version 2.0.7, which fixes the issue.\n\nThe issue only effects static files. If static files are served from a case-insensitive filesystem,\nsuch as default macOS setup, static files may be accessed by varying the case of the filename in the request.\nIf only lower-case (common default) filters are present in Shiro, they may be bypassed this way.\n\nShiro 2.0.7 and later has a new parameters to remediate this issue\nshiro.ini: filterChainResolver.caseInsensitive = true\napplication.propertie: shiro.caseInsensitive=true\n\nShiro 3.0.0 and later (upcoming) makes this the default.","aliases":["GHSA-c244-p6m5-vqj6"],"modified":"2026-04-09T02:59:11.933944Z","published":"2026-02-09T10:15:57.520Z","related":["CGA-pjgc-2h7p-246m"],"references":[{"type":"ADVISORY","url":"https://lists.apache.org/thread/5jjf0hnjcol58z2m5y255c7scz1lnp8k"},{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2026/02/08/1"}],"affected":[{"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-23903.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"fixed":"2.0.7"}]},{"events":[{"introduced":"0"},{"fixed":"2.0.7"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}]}