CVE-2026-49268: Apache Shiro: LDAP DN Injection in DefaultLdapRealm

June 17, 2026 (updated June 18, 2026)

A remote attacker can inject LDAP special characters into the Distinguished Name (DN) construction in DefaultLdapRealm class. User-supplied username input is directly concatenated into the LDAP DN template without any escaping of RFC 2253 special characters. This allows an attacker to manipulate the DN structure used for LDAP bind authentication, potentially bypassing authentication or impersonating other users.

This issue affects all Apache Shiro versions through 2.2.0, and 3.0.0-alpha-1 when using DefaultLdapRealm Upgrade to Apache Shiro 2.2.1 or 3.0.0-alpha-2 or later, which fixes the issue.

References

github.com/advisories/GHSA-x96m-rh44-vgv8
lists.apache.org/thread/svszql3od8td7hn6conyj2oq70v53b5s
nvd.nist.gov/vuln/detail/CVE-2026-49268

Code Behaviors & Features

Detect and mitigate CVE-2026-49268 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →