Primary

Context

Apache Shiro Observable Timing Discrepancy Vulnerability Allowing Username Enumeration

Vulnerability

Patched

A timing discrepancy vulnerability has been identified in Apache Shiro versions 1.* and 2.* prior to 2.0.7. This vulnerability allows a brute-force attack to determine valid usernames by timing requests to see if they failed due to a non-existent user or an incorrect password. The issue arises because the response times for these two scenarios are different enough to be noticeable. The vulnerability is likely exploitable only in a local context.

Impact

Exploitation of this vulnerability could lead to username enumeration, allowing an attacker to identify valid usernames on the system.

Remediation

Users are advised to upgrade to Apache Shiro version 2.0.7 or later, which addresses this vulnerability.

Added: Feb 10, 2026, 10:41 AM

Updated: Feb 10, 2026, 3:32 PM

Vulnerability Rating

Custom Algorithm

spread

4.2

impact

0.6

exploitability

4.3

remediation

7.9

relevance

2.7

threat

0.0

urgency

1.4

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

4.2

impact

0.6

exploitability

4.3

remediation

7.9

relevance

2.7

threat

0.0

urgency

1.4

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Apache Shiro Observable Timing Discrepancy Vulnerability Allowing Username Enumeration

Vulnerability

Impact

Remediation

Affected Products

Apache Shiro

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating