A critical vulnerability, tracked as CVE-2026-49268, has been discovered in the Apache Shiro framework, specifically within the DefaultLdapRealm class. This LDAP injection flaw poses a significant risk, allowing attackers to manipulate Distinguished Names for user authentication. The vulnerability has a CVSS score of 8.8, indicating high severity, and affects versions up to 2.2.0 and 3.0.0-alpha-0.
Although there is no confirmed exploitation reported yet, administrators are urged to update to the corrected versions (2.2.1 or 3.0.0-alpha-2) to prevent potential breaches.