Description
With valid login credentials, URL Redirection to Untrusted Site ('Open Redirect'), Server-Side Request Forgery (SSRF) vulnerability in Apache Shiro.




This issue affects Apache Shiro from 2.0-alpha to 2.1.0, and 3.0.0-alpha-1, only when using shiro-jakarta-ee integration module.

Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue by encrypting the cookie.

After successful login, Jakarta EE integration module uses shiroSavedRequest cookie to redirect to a particular web page after login.
This cookie was not validated, and can be forged to send a HTTP GET request from the server itself to an arbitrary URL from the cookie.
Published: 2026-05-25
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

When a user logs in, the Jakarta EE integration module stores the target page in a cookie named shiroSavedRequest and redirects the browser to that URL after authentication. The cookie is not validated, allowing an attacker to craft a forged value that causes the application server to request an arbitrary URL, resulting in server‑side request forgery. If the request is made to an untrusted external site it also creates an open redirect vulnerability, potentially exposing users to phishing or further exploitation. The impact is that an authenticated attacker can make the server act as a client to arbitrary destinations, leading to data exfiltration, internal network traversal, or hijacking of external services.

Affected Systems

Apache Shiro Jakarta EE module, versions 2.0‑alpha through 2.1.0 and 3.0.0‑alpha‑1 are affected. Users should upgrade to 2.1.1 or later, or to 3.0.0‑alpha‑2 or later, where the shiroSavedRequest cookie is encrypted and validated.

Risk and Exploitability

The CVSS score of 5.1 indicates moderate severity. Exploitation requires valid credentials, so the likelihood of attack is lowered, but once logged in the attacker can issue arbitrary HTTP GET requests from the server itself. The vulnerability is not listed in CISA's KEV catalog and EPSS data is unavailable. Attackers can achieve the vulnerability by forging the shiroSavedRequest cookie after authenticating, then sending a crafted request to the application server; the server will forward the request to any URL contained in the cookie.

Generated by OpenCVE AI on May 25, 2026 at 21:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Apache Shiro Jakarta EE module 2.1.1 or later, or 3.0.0‑alpha‑2 or later, to enable encryption and validation of the shiroSavedRequest cookie.
  • If an immediate upgrade is not possible, restrict the shiroSavedRequest cookie to internal networks only and block any outbound requests that are not explicitly allowed by your firewall policies.
  • After upgrading, review your authentication and session management to ensure that untrusted input is not used for URL redirects in any way.

Generated by OpenCVE AI on May 25, 2026 at 21:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 26 May 2026 13:45:00 +0000

Type Values Removed Values Added
References

Tue, 26 May 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache shiro
Vendors & Products Apache
Apache shiro

Tue, 26 May 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 25 May 2026 20:45:00 +0000

Type Values Removed Values Added
Description With valid login credentials, URL Redirection to Untrusted Site ('Open Redirect'), Server-Side Request Forgery (SSRF) vulnerability in Apache Shiro. This issue affects Apache Shiro from 2.0-alpha to 2.1.0, and 3.0.0-alpha-1, only when using shiro-jakarta-ee integration module. Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue by encrypting the cookie. After successful login, Jakarta EE integration module uses shiroSavedRequest cookie to redirect to a particular web page after login. This cookie was not validated, and can be forged to send a HTTP GET request from the server itself to an arbitrary URL from the cookie.
Title Apache Shiro Jakarta EE module: Open redirect and SSRF (requires valid credentials)
Weaknesses CWE-601
CWE-918
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/S:N/AU:Y/R:A/V:D/RE:L/U:Green'}

Subscriptions

Apache Shiro
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-05-26T12:38:12.217Z

Reserved: 2026-05-07T01:57:05.531Z

Link: CVE-2026-44598

cve-icon Vulnrichment

Updated: 2026-05-25T21:26:14.204Z

cve-icon NVD

Status : Received

Published: 2026-05-25T21:16:34.970

Modified: 2026-05-25T22:16:33.873

Link: CVE-2026-44598

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-26T13:00:08Z

Weaknesses