Security Advisory - Published 2026-06-18 - Apache Shiro / LDAP
Apache Shiro CVE-2026-49268: check DefaultLdapRealm before the next login window
CVE-2026-49268 affects Apache Shiro deployments that use DefaultLdapRealm to build LDAP Distinguished Names from login input. Upgrade Shiro, then review LDAP realm templates and authentication logs for unusual account mapping behavior.
Who is affected?
- Apache Shiro through 2.2.0 when DefaultLdapRealm is used.
- Apache Shiro 3.0.0-alpha-1 when DefaultLdapRealm is used.
- Applications that map login names directly into LDAP DN templates.
Owner self-check
grep -Rni "shiro-core\\|shiro-web\\|DefaultLdapRealm\\|ldapRealm" . --include="pom.xml" --include="*.gradle" --include="*.java" --include="*.ini" --include="*.yml"
find . -iname "*.jar" | egrep 'shiro-core|shiro-web'
grep -Rni "userDnTemplate\\|searchBase\\|ldap" src config WEB-INF 2>/dev/null What to review
- Applications that use Shiro LDAP login for admin, staff, partner, or internal users.
- Authentication logs with odd username formatting, repeated failed binds, or unexpected successful binds.
- LDAP group mappings where one login name can resolve to a different account or role.
- Old JARs inside WAR/EAR artifacts even after the source dependency file was updated.
Safe fix path
- Upgrade Apache Shiro to 2.2.1 or 3.0.0-alpha-2 or later.
- Confirm the running artifact contains the fixed Shiro JARs.
- Review LDAP realm templates and avoid direct DN construction from untrusted login input.
- Reset suspicious sessions and review recently changed roles or group memberships.
Repair help
Use Ping7 CVE Repair if a Shiro-backed app is public-facing, protects admin access, or shows unusual LDAP bind activity around the disclosure window.