CVE-2026-49268

UNKNOWN 0.0

Apache Shiro: LDAP DN Injection in DefaultLdapRealm

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

A remote attacker can inject LDAP special characters into the Distinguished Name (DN) construction in DefaultLdapRealm class. User-supplied username input is directly concatenated into the LDAP DN template without any escaping of RFC 2253 special characters. This allows an attacker to manipulate the DN structure used for LDAP bind authentication, potentially bypassing authentication or impersonating other users. This issue affects all Apache Shiro versions through 2.2.0, and 3.0.0-alpha-1 when using DefaultLdapRealm Upgrade to Apache Shiro 2.2.1 or 3.0.0-alpha-2 or later, which fixes the issue.

CWE	CWE-90
Vendor	apache software foundation
Product	apache shiro
Published	Jun 17, 2026
Last Updated	Jun 17, 2026

Stay Ahead of the Next One

Get instant alerts for apache software foundation apache shiro

Be the first to know when new unknown vulnerabilities affecting apache software foundation apache shiro are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Apache Software Foundation / Apache Shiro

0 ≤ 2.2.0 3.0.0-alpha-0 ≤ 3.0.0-alpha-1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

lists.apache.org: https://lists.apache.org/thread/svszql3od8td7hn6conyj2oq70v53b5s openwall.com: http://www.openwall.com/lists/oss-security/2026/06/17/8

Credits

zhaokaifei (reporter) - ChinaTelecom Lenny Primak <[email protected]>