Daily CyberSecurity (securityonline.info) ·EN-US News source Patch releasedApache Shiro
Critical Apache Shiro LDAP Injection Flaw Uncovered
CVE Tools coverage
Researchers identified a critical LDAP injection issue in Apache Shiro’s DefaultLdapRealm that could let attackers bypass authentication by manipulating the LDAP Distinguished Name (DN) construction. The vulnerability is tracked as CVE-2026-49268 and affects Apache Shiro versions below 2.2.1, as well as versions 3.0.0-alpha-0 through 3.0.0-alpha-1, with a high CVSS score of 8.8. Organizations should remediate by updating to Apache Shiro 2.2.1 or later (or 3.0.0-alpha-2 and later) to prevent impersonation and unauthorized access.