The vulnerability stems from improper authentication when Shiro interacts with Spring dynamic controllers. The root cause likely involves mismatches between Shiro's path-matching logic (via PathMatchingFilterChainResolver and AntPathMatcher) and Spring's dynamic URL resolution. Shiro's chain resolver determines which security filters apply to a request, and if its pattern matching fails to account for Spring's dynamic routing (e.g., parameterized paths or unconventional URL structures), authentication checks may be bypassed. While the exact commit details are unavailable, historical Shiro path-matching vulnerabilities (e.g., CVE-2020-1957) and the CWE-287 context strongly implicate these components. The AntPathMatcher's confidence is marked 'medium' due to less direct evidence of its role in this specific Spring integration scenario.