CVE-2026-56091
HighCVSS 8.2Exploitation Probability (EPSS)
Low risk34th percentile — higher than 34% of all known CVEs
Summary
A vulnerability in Apache Shiro with the shiro-guice module in a web servlet context may lead to authentication bypass through a specially crafted HTTP request. This affects all Apache Shiro versions up to 2.x and 3.0.0-alpha-1 when using the shiro-guice module.
Risk Assessment
Organizations may be exposed to unauthorized access to resources, potentially leading to serious security breaches. Exploitation of this vulnerability could result in data loss or unauthorized access to systems.
Recommendation
It is recommended to upgrade to version 3.0.0 or later, which fixes this vulnerability. An audit of existing implementations should also be conducted to identify potential threats.
Original NVD description (English source)
When using Apache Shiro with the shiro-guice module in a web servlet context, a specially crafted HTTP request may cause an authentication bypass. This vulnerability is similar to https://www.cve.org/CVERecord?id=CVE-2020-1957 https://www.cve.org/CVERecord , except that it affects the `shiro-guice` module instead of the `shiro-spring` module. This issue affects all Apache Shiro versions through 2.x, and 3.0.0-alpha-1 only when using `shiro-guice` module in a web servlet context. Upgrade to version 3.0.0 or later, which fixes the issue.

