CVE-2026-23903

Authentication Bypass by Alternate Name vulnerability in Apache Shiro. This issue affects Apache Shiro: before 2.0.7. Users are recommended to upgrade to version 2.0.7, which fixes the issue. The issue only effects static files. If static files are served from a case-insensitive filesystem, such as default macOS setup, static files may be accessed by varying the case of the filename in the request. If only lower-case (common default) filters are present in Shiro, they may be bypassed this way. Shiro 2.0.7 and later has a new parameters to remediate this issue shiro.ini: filterChainResolver.caseInsensitive = true application.propertie: shiro.caseInsensitive=true Shiro 3.0.0 and later (upcoming) makes this the default.

Authentication Bypass by Alternate Name vulnerability in Apache Shiro. This issue affects Apache Shiro: before 2.0.7. Users are recommended to upgrade to version 2.0.7, which fixes the issue. The issue only effects static files. If static files are served from a case-insensitive filesystem, such as default macOS setup, static files may be accessed by varying the case of the filename in the request. If only lower-case (common default) filters are present in Shiro, they may be bypassed this way. Shiro 2.0.7 and later has a new parameters to remediate this issue shiro.ini: filterChainResolver.caseInsensitive = true application.propertie: shiro.caseInsensitive=true Shiro 3.0.0 and later (upcoming) makes this the default.

### Impact **Authentication Bypass:** A vulnerability exists in Apache Shiro that allows authentication bypass for static files when served from a case-insensitive filesystem (such as the default configuration on macOS or Windows). The issue arises when Shiro's URL filters are configured with lower-case rules (a common default), but the underlying operating system treats mixed-case filenames as identical. An attacker can access protected static resources by varying the capitalization of the filename in the request (e.g., requesting `/SECRET.TXT` to bypass a rule for `/secret.txt`). This issue specifically affects static file handling and does not impact dynamic resource paths that are case-sensitive. ### Patches Users should upgrade to Apache Shiro **2.1.0** or later. **Important Configuration Note:** Version 2.1.0 introduces a new configuration parameter to handle case-insensitivity, which must be enabled manually to resolve the issue: * **shiro.ini:** ```ini filterChainResolver.caseInsensitive = true ``` * **Spring Boot (application.properties):** ```properties shiro.caseInsensitive=true ``` *Note: Apache Shiro 3.0.0 (upcoming) will enable this setting by default.* ### Workarounds * Ensure that the filesystem hosting the application is case-sensitive (e.g., Linux/Unix). * Manually configure all Shiro filter chains to handle all possible case variations of protected filenames (not recommended due to complexity). ### Resources * [CVE-2026-23903](https://nvd.nist.gov/vuln/detail/CVE-2026-23903) * [Mailing List Announcement](https://lists.apache.org/thread/5jjf0hnjcol58z2m5y255c7scz1lnp8k) * [OSS-Security List](http://www.openwall.com/lists/oss-security/2026/02/08/1)

### Impact **Authentication Bypass:** A vulnerability exists in Apache Shiro that allows authentication bypass for static files when served from a case-insensitive filesystem (such as the default configuration on macOS or Windows). The issue arises when Shiro's URL filters are configured with lower-case rules (a common default), but the underlying operating system treats mixed-case filenames as identical. An attacker can access protected static resources by varying the capitalization of the filename in the request (e.g., requesting `/SECRET.TXT` to bypass a rule for `/secret.txt`). This issue specifically affects static file handling and does not impact dynamic resource paths that are case-sensitive. ### Patches Users should upgrade to Apache Shiro **2.1.0** or later. **Important Configuration Note:** Version 2.1.0 introduces a new configuration parameter to handle case-insensitivity, which must be enabled manually to resolve the issue: * **shiro.ini:** ```ini filterChainResolver.caseInsensitive = true ``` * **Spring Boot (application.properties):** ```properties shiro.caseInsensitive=true ``` *Note: Apache Shiro 3.0.0 (upcoming) will enable this setting by default.* ### Workarounds * Ensure that the filesystem hosting the application is case-sensitive (e.g., Linux/Unix). * Manually configure all Shiro filter chains to handle all possible case variations of protected filenames (not recommended due to complexity). ### Resources * [CVE-2026-23903](https://nvd.nist.gov/vuln/detail/CVE-2026-23903) * [Mailing List Announcement](https://lists.apache.org/thread/5jjf0hnjcol58z2m5y255c7scz1lnp8k) * [OSS-Security List](http://www.openwall.com/lists/oss-security/2026/02/08/1)

Vulnerabilidad de omisión de autenticación por nombre alternativo en Apache Shiro. Este problema afecta a Apache Shiro: antes de la versión 2.0.7. Se recomienda a los usuarios actualizar a la versión 2.0.7, que soluciona el problema. El problema solo afecta a los archivos estáticos. Si los archivos estáticos se sirven desde un sistema de archivos que no distingue entre mayúsculas y minúsculas, como la configuración predeterminada de macOS, se puede acceder a los archivos estáticos variando el uso de mayúsculas y minúsculas del nombre de archivo en la solicitud. Si solo hay filtros en minúsculas (valor predeterminado común) en Shiro, pueden ser omitidos de esta manera. Shiro 2.0.7 y versiones posteriores tienen nuevos parámetros para solucionar este problema shiro.ini: filterChainResolver.caseInsensitive = true application.propertie: shiro.caseInsensitive=true Shiro 3.0.0 y versiones posteriores (próximas) lo convierten en el valor predeterminado.