Apache Shiro: LDAP DN Injection in DefaultLdapRealm_CVE-2026-49268

8.8 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/S:P/AU:Y/R:A/RE:L/U:Red

Description

A remote attacker can inject LDAP special characters into the Distinguished Name (DN) construction in DefaultLdapRealm class. User-supplied username input is directly concatenated into the LDAP DN template without any escaping of RFC 2253 special characters. This allows an attacker to manipulate the DN structure used for LDAP bind authentication, potentially bypassing authentication or impersonating other users.

This issue affects all Apache Shiro versions through 2.2.0, and 3.0.0-alpha-1 when using DefaultLdapRealm
Upgrade to Apache Shiro 2.2.1 or 3.0.0-alpha-2 or later, which fixes the issue.

Basic Information

ID CVE-2026-49268

Source apache

Published Jun 17, 2026 at 13:07

Affected Product

Vendor Apache Software Foundation

Product Apache Shiro

Affected Versions Apache Software Foundation Apache Shiro 0
Apache Software Foundation Apache Shiro 3.0.0-alpha-0

CWE Classification

CWE-90

References

lists.apache.org /thread/svszql3od8td7hn6conyj2oq70v53b5s

{
    "lastseen": "",
    "description": "A remote attacker can inject LDAP special characters into the Distinguished Name (DN) construction in DefaultLdapRealm class. User-supplied username input is directly concatenated into the LDAP DN template without any escaping of RFC 2253 special characters. This allows an attacker to manipulate the DN structure used for LDAP bind authentication, potentially bypassing authentication or impersonating other users.\n\nThis issue affects all Apache Shiro versions through 2.2.0, and 3.0.0-alpha-1 when using\u00a0DefaultLdapRealm\nUpgrade to Apache Shiro 2.2.1 or 3.0.0-alpha-2 or later, which fixes the issue.",
    "published": "2026-06-17T13:07:44.488Z",
    "modified": "2026-06-17T13:07:44.488Z",
    "type": "cve",
    "title": "Apache Shiro: LDAP DN Injection in DefaultLdapRealm",
    "source": "apache",
    "references": "https://lists.apache.org/thread/svszql3od8td7hn6conyj2oq70v53b5s",
    "id": "CVE-2026-49268",
    "bulletinFamily": "",
    "cwe": [
        "CWE-90"
    ],
    "cvelist": null,
    "sourceData": "Apache Software Foundation Apache Shiro 0\nApache Software Foundation Apache Shiro 3.0.0-alpha-0",
    "sourceHref": "",
    "cvss": {
        "score": 8.8,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/S:P/AU:Y/R:A/RE:L/U:Red",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Apache Shiro",
    "version": "0",
    "vendor": "Apache Software Foundation",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}