How is CVE-2026-49268 exploited?

Network reachability (required): The attacker must reach the application's authentication endpoint over the network; no local access or special network position is needed. Authentication (not-required): No account or credentials are needed; the injection is carried through the username field of a standard unauthenticated login request. Victim interaction (not-required): No user action is required; the attacker submits the crafted request directly to the target service. Attack complexity (info): The exploit is reliable and condition-free; no race conditions, memory layout dependencies, or environmental prerequisites are required.

What is the impact of CVE-2026-49268?

Reads limited identity or directory attributes exposed through the manipulated LDAP bind response (low confidentiality impact on the vulnerable component). Modifies the effective authentication identity, allowing the attacker to log in as a different user including privileged accounts. Bypasses authentication gates entirely, granting access to application features and data that require a valid session.

Back to search

HIGHCVE-2026-49268Published 2026-06-17Modified 2026-06-17CNA apache

CVE-2026-49268: Apache Shiro: LDAP DN Injection in DefaultLdapRealm

A remote attacker can inject LDAP special characters into the Distinguished Name (DN) construction in DefaultLdapRealm class. User-supplied username input is directly concatenated into the LDAP DN template without any escaping of RFC 2253 special characters. This allows an attacker to manipulate the DN structure used for LDAP bind authentication, potentially bypassing authentication or impersonating other users. This issue affects all Apache Shiro versions through 2.2.0, and 3.0.0-alpha-1 when using DefaultLdapRealm Upgrade to Apache Shiro 2.2.1 or 3.0.0-alpha-2 or later, which fixes the issue.

CVSS v4.0: 8.8
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

LDAP DN injection in Apache Shiro's DefaultLdapRealm class allows a remote, unauthenticated attacker to manipulate the Distinguished Name structure used during LDAP bind authentication. User-supplied usernames are concatenated directly into the DN template without escaping RFC 2253 special characters, letting an attacker craft input that reshapes the DN query. Successful exploitation grants the ability to bypass authentication or impersonate other users in LDAP-backed applications. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment the upstream fix is published.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built images that bundle Apache Shiro. Any image containing an affected version (Shiro 2.2.0 or earlier, or 3.0.0-alpha-1) is flagged automatically in the pipeline scan.

Available

Triage

HarborGuard is capable of scoring this finding at CVSS 8.8 (HIGH) and weighting it against each customer environment's compliance policy to determine urgency. Findings are routed to the appropriate team inbox within each customer organization based on the image owner, severity tier, and policy configuration.

Available

Patch

Because no upstream fix versions have been published yet, HarborGuard re-checks this advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Apache ships a remediated release. For customers with auto-remediation enabled, a rebuild, regression-test run, and PR against affected workloads will be triggered without manual intervention once a fix is available.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the application's authentication endpoint over the network; no local access or special network position is needed.
AuthenticationNot required
No account or credentials are needed; the injection is carried through the username field of a standard unauthenticated login request.
Victim interactionNot required
No user action is required; the attacker submits the crafted request directly to the target service.
Attack complexityDetail
The exploit is reliable and condition-free; no race conditions, memory layout dependencies, or environmental prerequisites are required.

Blast Radius

Reads limited identity or directory attributes exposed through the manipulated LDAP bind response (low confidentiality impact on the vulnerable component).
Modifies the effective authentication identity, allowing the attacker to log in as a different user including privileged accounts.
Bypasses authentication gates entirely, granting access to application features and data that require a valid session.

How HarborGuard Handles This

Available on HarborGuard: this CVE is actively tracked against every image in customer registries and CI pipelines that includes Apache Shiro 2.2.0 or earlier, or 3.0.0-alpha-1. Because no upstream patch exists at this time, the recommended immediate compensating controls are to isolate LDAP-backed Shiro services behind strict network policy (blocking direct external access to the authentication endpoint), apply egress filtering between the application tier and the LDAP directory to limit lateral movement, and consider disabling or replacing DefaultLdapRealm with a custom realm that performs explicit DN escaping per RFC 2253 until an official fix is available. HarborGuard monitors the Apache Shiro advisory on every ingest cycle; the moment Apache publishes versions 2.2.1 or 3.0.0-alpha-2, a patched-image rebuild becomes available automatically. For customers with auto-remediation enabled, this triggers a full rebuild, regression-test run, and a PR opened against affected workloads without any manual steps.

See how HarborGuard automates this

Affected packages

Apache Software Foundation / Apache Shiro
≤ 2.2.0 · ≤ 3.0.0-alpha-1

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/S:P/AU:Y/R:A/RE:L/U:Red

References

lists.apache.org

Metrics

Get notified