LDAP Injection in Apache Software Foundation Shiro
CVE-2026-49268
A remote attacker can inject LDAP special characters into the Distinguished Name (DN) construction in DefaultLdapRealm class. User-supplied username input is directly concatenated into the LDAP DN template without any escaping of RFC 2253…
Affected products
- Apache Software Foundation Shiro — versions 0, 3.0.0-alpha-0
Weakness classification (CWE)
References
- security@apache.org (vendor-advisory)
- af854a3a-2127-422b-91ae-364da2661108