diff --git a/gradle/changelog/shiro_traversal_filter.yaml b/gradle/changelog/shiro_traversal_filter.yaml
new file mode 100644
index 0000000000..60478c72f7
--- /dev/null
+++ b/gradle/changelog/shiro_traversal_filter.yaml
@@ -0,0 +1,2 @@
+- type: fixed
+  description: Deactivate Shiro's new `blockTraversal` check in their `InvalidRequestFilter`
diff --git a/scm-webapp/src/main/java/sonia/scm/lifecycle/modules/ScmSecurityModule.java b/scm-webapp/src/main/java/sonia/scm/lifecycle/modules/ScmSecurityModule.java
index c0fa215a4a..93629fca6f 100644
--- a/scm-webapp/src/main/java/sonia/scm/lifecycle/modules/ScmSecurityModule.java
+++ b/scm-webapp/src/main/java/sonia/scm/lifecycle/modules/ScmSecurityModule.java
@@ -121,6 +121,7 @@ public class ScmSecurityModule extends ShiroWebModule
     // do not block non ascii character,
     // because this would exclude languages which are non ascii based
     bindConstant().annotatedWith(Names.named("shiro.blockNonAscii")).to(false);
+    bindConstant().annotatedWith(Names.named("shiro.blockTraversal")).to(false);
 
     // disable access to mustache resources
     addFilterChain("/**.mustache", filterConfig(ROLES, "nobody"));