CVE Analysis 4 min read

CVE-2026-49268: Apache Shiro DefaultLdapRealm LDAP injection

CVE-2026-49268 CVSS 9.1 CRITICAL LDAP injection

CVE-2026-49268 is a CVSS 9.1 CRITICAL LDAP injection vulnerability in Apache Shiro DefaultLdapRealm published 17 June 2026. User-supplied username input is concatenated directly into LDAP Distinguished Name templates without escaping RFC 2253 special characters. An attacker can manipulate the DN structure used for LDAP bind authentication to bypass authentication or impersonate other users.

TL;DR: Apache Shiro DefaultLdapRealm LDAP injection, classified as CWE-90 (LDAP Injection). NVD scores this 9.1 CRITICAL. Apache Shiro is widely used in Java enterprise applications for authentication and authorization. The vulnerability lets an unauthenticated attacker bypass LDAP bind authentication or impersonate other users by injecting LDAP DN special characters into the username field.

What This Vulnerability Is

A remote attacker can inject LDAP special characters into the Distinguished Name (DN) construction in DefaultLdapRealm class. User-supplied username input is directly concatenated into the LDAP DN template without any escaping of RFC 2253 special characters. This allows an attacker to manipulate the DN structure used for LDAP bind authentication, potentially bypassing authentication or impersonating other users.

The National Vulnerability Database assigned this issue a CVSS base score of 9.1, placing it in the CRITICAL category. The identifier CVE-2026-49268 was published on 17 June 2026. The weakness class is CWE-90 (LDAP Injection). Affected versions are all Apache Shiro releases through 2.2.0 plus 3.0.0-alpha-1 when DefaultLdapRealm is in use. The fix shipped in Apache Shiro 2.2.1 plus 3.0.0-alpha-2.

CVE Identifier
CVE-2026-49268
CVSS Base Score
9.1 / 10.0 (CRITICAL)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Weakness Class
CWE-90 (LDAP Injection)
Published
17 June 2026
Affected Products
Apache Shiro through 2.2.0 plus 3.0.0-alpha-1 (DefaultLdapRealm)
Patched Versions
Apache Shiro 2.2.1 plus 3.0.0-alpha-2 or later
Vendor Advisory
https://lists.apache.org/thread/svszql3od8td7hn6conyj2oq70v53b5s

How a Sherlock Forensic Examiner Triages a Suspected Shiro LDAP Bypass

If you suspect this vulnerability has been exploited against a Java application server using Apache Shiro the first artifact a Sherlock forensic examiner pulls is the LDAP directory server access log. Enterprise LDAP directories (Active Directory, OpenLDAP, 389 Directory Server, Apache Directory) all log bind operations including the DN that was constructed for the bind attempt. Filter the LDAP server log for bind operations within the suspected exploitation window. Pay attention to DN values containing LDAP special characters that should not appear in legitimate username input: parentheses, asterisks, backslashes, NULL bytes plus comma sequences that suggest DN structure manipulation.

The second artifact is the application authentication log. Apache Shiro logs every authentication attempt through its standard logging facade. The application configuration controls which logger and which level capture Shiro authentication events. Pull the application log for the same window and look for successful authentication events that do not correspond to legitimate user activity, particularly authentications attributed to administrative accounts at unusual times. Cross-reference the application log against the LDAP directory log to identify mismatches between what the application thinks happened and what the directory actually validated.

The third artifact is the Windows event log on the LDAP directory server if Active Directory is the LDAP backend. The Sherlock Universal Events Viewer Forensic Edition reads the Security channel where Event ID 4624 successful logon plus Event ID 4625 failed logon plus Event ID 4768 Kerberos authentication ticket are recorded. The combination of failed LDAP authentication events that produced successful Shiro authentication is the impersonation signature.

The fourth artifact is the network capture if your environment runs LDAP over plaintext or you have TLS visibility. The crafted DN values are visible in the LDAP bind request payload. Cross-reference the network capture timestamps against the application log and the directory access log to confirm exactly which request triggered the bypass plus which user account was impersonated.

Detection Signature

Illustrative Sigma rule. Tune the legitimate-DN allowlist to your directory schema before production deployment.

title: Apache Shiro LDAP DN Injection Signature CVE-2026-49268
id: cve-2026-49268-shiro-ldap-injection
status: experimental
description: Detects LDAP bind operations containing DN special characters that suggest CVE-2026-49268 exploitation.
logsource:
  category: ldap
detection:
  selection:
    bind_dn|re: '(\)\(|\*\)|\\\\|%00|\),\s*cn=)'
  condition: selection
level: high

What to Do About It

  1. Upgrade Apache Shiro immediately. Follow the Apache mailing list advisory. The fix shipped in 2.2.1 plus 3.0.0-alpha-2.
  2. Run the forensic triage above on any system showing the indicator pattern. The Sherlock UEV is the canonical tool for the Active-Directory-side authentication log analysis.
  3. Subscribe to the CISA Known Exploited Vulnerabilities catalog. Treat additions to the CISA KEV catalog as emergency patch tickets.
  4. Document your response. Record what you checked, what you patched plus what residual risk remains.

References and Further Reading