EXECUTIVE SUMMARY:
CVE-2026-49268 with a CVSS score of 8.8 is a critical LDAP DN injection flaw in Apache Shiro’s DefaultLdapRealm class that affects all Shiro releases through 2.2.0 and the 3.0.0‑alpha‑0 through 3.0.0‑alpha‑1 versions; the vulnerability arises because the realm builds the LDAP distinguished name by directly concatenating the user‑supplied username into a DN template without escaping RFC 2253 special characters. An attacker can exploit this by sending a crafted username containing LDAP control characters to the authentication endpoint, which requires only network‑level access to the login interface and does not need prior authentication. By manipulating the DN structure, the attacker can bypass the bind operation, effectively authenticating as any user or impersonating other legitimate accounts. This capability enables unauthorized access to protected applications, potential data exfiltration, and violations of compliance and privacy obligations, thereby exposing the organization to financial loss and reputational damage. Exploitation is possible when the target application is configured to use DefaultLdapRealm for LDAP authentication and the attacker can submit arbitrary usernames to the authentication service.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-49268 with a CVSS score of 8.8 is a critical LDAP DN injection flaw in Apache Shiro’s DefaultLdapRealm class that affects all Shiro releases through 2.2.0 and the 3.0.0‑alpha‑0 through 3.0.0‑alpha‑1 versions; the vulnerability arises because the realm builds the LDAP distinguished name by directly concatenating the user‑supplied username into a DN template without escaping RFC 2253 special characters. An attacker can exploit this by sending a crafted username containing LDAP control characters to the authentication endpoint, which requires only network‑level access to the login interface and does not need prior authentication. By manipulating the DN structure, the attacker can bypass the bind operation, effectively authenticating as any user or impersonating other legitimate accounts. This capability enables unauthorized access to protected applications, potential data exfiltration, and violations of compliance and privacy obligations, thereby exposing the organization to financial loss and reputational damage. Exploitation is possible when the target application is configured to use DefaultLdapRealm for LDAP authentication and the attacker can submit arbitrary usernames to the authentication service.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://securityonline.info/apache-shiro-ldap-injection/