CVE-2026-23903: Apache Shiro has an Authentication Bypass

February 9, 2026 (updated February 11, 2026)

Authentication Bypass: A vulnerability exists in Apache Shiro that allows authentication bypass for static files when served from a case-insensitive filesystem (such as the default configuration on macOS or Windows).

The issue arises when Shiro’s URL filters are configured with lower-case rules (a common default), but the underlying operating system treats mixed-case filenames as identical. An attacker can access protected static resources by varying the capitalization of the filename in the request (e.g., requesting /SECRET.TXT to bypass a rule for /secret.txt).

This issue specifically affects static file handling and does not impact dynamic resource paths that are case-sensitive.

References

Code Behaviors & Features

Detect and mitigate CVE-2026-23903 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →