Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-49268

CVE-2026-49268: Apache Shiro LDAP Auth Bypass Vulnerability

CVE-2026-49268 is an LDAP injection authentication bypass vulnerability in Apache Shiro that allows attackers to manipulate DN structures and bypass authentication. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-49268 Overview

CVE-2026-49268 is an LDAP Injection vulnerability [CWE-90] in the Apache Shiro security framework. The flaw resides in the DefaultLdapRealm class, where user-supplied username input is concatenated directly into the Lightweight Directory Access Protocol (LDAP) Distinguished Name (DN) template. Apache Shiro does not escape RFC 2253 special characters before constructing the DN used for LDAP bind authentication. A remote, unauthenticated attacker can manipulate the DN structure to bypass authentication or impersonate other directory users. The issue affects Apache Shiro releases through 2.2.0 and version 3.0.0-alpha-1 when applications use DefaultLdapRealm.

Critical Impact

Remote attackers can inject LDAP metacharacters into authentication requests, alter the constructed DN, and authenticate as arbitrary users without valid credentials.

Affected Products

  • Apache Shiro versions up to and including 2.2.0
  • Apache Shiro 3.0.0-alpha-1
  • Applications using the DefaultLdapRealm class for LDAP authentication

Discovery Timeline

  • 2026-06-17 - CVE-2026-49268 published to the National Vulnerability Database (NVD)
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2026-49268

Vulnerability Analysis

Apache Shiro's DefaultLdapRealm constructs a Distinguished Name by inserting the submitted username into a static template string. The realm then uses this DN to perform an LDAP bind operation against the directory server. Because the username is concatenated without escaping, attacker-controlled input becomes part of the DN's syntactic structure rather than a single attribute value. The attacker can introduce additional Relative Distinguished Name (RDN) components, terminate the original RDN, or alter the search context entirely. The resulting bind may authenticate the attacker as an arbitrary directory principal.

Root Cause

The root cause is missing input neutralization on RFC 2253 special characters during DN assembly. Characters such as ,, =, +, <, >, #, ;, \, and " carry syntactic meaning in a DN. The DefaultLdapRealm implementation does not call an escaping routine before merging the username token into the DN template, producing the LDAP Injection condition tracked under [CWE-90].

Attack Vector

The vulnerability is reachable over the network through any application endpoint that forwards a username to Shiro's LDAP authentication path. The attacker submits a crafted username containing LDAP DN metacharacters during login. Shiro builds a malformed DN and issues a bind request that the directory server interprets according to the attacker's manipulated structure. No prior authentication or user interaction is required. Full exploitation details are available in the Apache Mailing List Thread and the OpenWall OSS Security Post.

Detection Methods for CVE-2026-49268

Indicators of Compromise

  • Authentication log entries containing LDAP metacharacters such as ,, =, +, \, or " inside username fields.
  • LDAP bind requests with unusual or unexpected DN structures originating from the Shiro-protected application.
  • Successful authentications where the resolved bind DN does not match the submitted username.
  • Repeated failed binds followed by a successful bind from the same source within a short window.

Detection Strategies

  • Inspect application access logs for login attempts whose username parameter contains RFC 2253 reserved characters.
  • Correlate web application authentication events with directory server bind logs to detect DN mismatches.
  • Deploy WAF or reverse-proxy rules that flag LDAP metacharacters in authentication parameters.
  • Audit deployed Apache Shiro versions and configurations to identify use of DefaultLdapRealm.

Monitoring Recommendations

  • Forward LDAP server bind logs and Shiro authentication logs to a centralized analytics pipeline for correlation.
  • Alert on bind operations whose target DN falls outside the expected user base subtree.
  • Track sudden changes in the volume or distribution of successful LDAP binds per application instance.

How to Mitigate CVE-2026-49268

Immediate Actions Required

  • Upgrade Apache Shiro to version 2.2.1 or 3.0.0-alpha-2, which apply DN escaping in DefaultLdapRealm.
  • Inventory all internal services that embed Apache Shiro and confirm which ones load DefaultLdapRealm.
  • Rotate any credentials and session tokens for accounts that may have been impersonated through the affected endpoint.
  • Review authentication logs back to the deployment date of the vulnerable Shiro version for signs of abuse.

Patch Information

The Apache Shiro project addressed the issue by escaping RFC 2253 special characters before username input is incorporated into the DN template. Patched releases are Apache Shiro 2.2.1 and Apache Shiro 3.0.0-alpha-2. Application owners should rebuild and redeploy services against the fixed artifacts and verify the resolved Shiro version in the runtime classpath.

Workarounds

  • Replace DefaultLdapRealm with a custom realm that performs explicit DN escaping or uses parameterized LDAP search-then-bind logic.
  • Apply server-side input validation that rejects LDAP metacharacters in username fields before the request reaches Shiro.
  • Restrict the LDAP bind account's search base so manipulated DNs cannot reach privileged organizational units.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne