CVE-2026-48589 - Vulnerability Details

- Apache Shiro: Jakarta EE open redirect via untrusted Referer in post-login redirect flow

Description

Apache Shiro’s Jakarta EE module used the HTTP Referer header in certain cases to issue redirect after a user login.
In affected versions, insufficient validation of this client-controlled value could allow an attacker to influence the redirect target in applications using the Jakarta EE module.
This issue affects Apache Shiro from 2.0-alpha to 2.2.0, and 3.0.0-alpha-1, only when using shiro-jakarta-ee integration module.

Published: 2026-05-25

Score: 0 Low

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Apache Shiro’s Jakarta EE integration module uses the HTTP Referer header after a user logs in to determine where to redirect. Because the value is not validated, an attacker can supply a crafted Referer header so that after login the user is redirected to an arbitrary site. This open redirect weakness (CWE-601) can be used to conduct phishing attacks, drive malicious traffic, or obscure the path of user navigation. The vulnerability allows the attacker to influence the redirect target only after the user authenticates, giving the false impression of legitimate service flow.

Affected Systems

Apache Shiro from the Apache Software Foundation is vulnerable in versions 2.0-alpha through 2.2.0 and in 3.0.0-alpha-1, but only when the shiro-jakarta-ee integration module is in use.

Risk and Exploitability

The EPSS score is < 1% and the vulnerability is not listed in CISA’s KEV catalog, so the public exploitation likelihood is low. The CVSS score of 5.4 indicates moderate severity. The attack vector requires sending a login request with a manipulated Referer header; successful exploitation would redirect the authenticated user to a site chosen by the attacker. Because the flaw is an open redirect, the impact is limited to user‑experience and phishing rather than direct code execution or data theft.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Apache Software Foundation

Apache Shiro

unaffected

Version	Status	Constraints
`2.0.0-alpha-0`	affected	≤ 2.2.0
`3.0.0-alpha-0`	affected	≤ 3.0.0-alpha-1

Configuration 1 [-]

OR	cpe:2.3:a:apache:shiro::::::::
	cpe:2.3:a:apache:shiro:3.0.0:alpha1::::::

No data.

Vendor Product Confidence Versions

Apache

Shiro

100%

Version	Status	Scheme	Platform
`[2.0.0-alpha-0,2.2.0]`	affected	semver	—
`[3.0.0-alpha-0,3.0.0-alpha-1]`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update Apache Shiro to a release that includes the fix for the Jakarta EE redirect issue.
If an immediate update is not possible, disable the shiro-jakarta-ee integration module.
Remove or modify the post‑login redirect logic that reads the Referer header.
Verify that any custom redirect handlers perform proper sanitization or whitelist validation before redirecting user traffic.

Generated by OpenCVE AI on May 28, 2026 at 14:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction Active

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00086.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
http://www.openwall.com/lists/oss-security/2026/05/25/9
https://shiro.apache.org/security-reports.html#cve_2026_48589

History

Thu, 28 May 2026 13:45:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:apache:shiro:::::::: cpe:2.3:a:apache:shiro:3.0.0:alpha1::::::
Metrics		cvssV3_1 `{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}`

Wed, 27 May 2026 10:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Apache Apache shiro
Vendors & Products		Apache Apache shiro

Tue, 26 May 2026 13:45:00 +0000

Type	Values Removed	Values Added
References		http://www.openwall.com/lists/oss-security/2026/05/25/9

Tue, 26 May 2026 13:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 25 May 2026 20:45:00 +0000

Type	Values Removed	Values Added
Description		Apache Shiro’s Jakarta EE module used the HTTP Referer header in certain cases to issue redirect after a user login. In affected versions, insufficient validation of this client-controlled value could allow an attacker to influence the redirect target in applications using the Jakarta EE module. This issue affects Apache Shiro from 2.0-alpha to 2.2.0, and 3.0.0-alpha-1, only when using shiro-jakarta-ee integration module.
Title		Apache Shiro: Jakarta EE open redirect via untrusted Referer in post-login redirect flow
Weaknesses		CWE-601
References		https://shiro.apache.org/security-reports.html#cve_2026_48589
Metrics		cvssV4_0 `{'score': 0, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N/S:N/AU:Y/R:A/V:D/U:Green'}`

Subscriptions

Apache Shiro

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2026-05-25T20:20:03.597Z

Updated: 2026-05-26T12:37:44.475Z

Reserved: 2026-05-22T00:31:53.177Z

Link: CVE-2026-48589

Vulnrichment

Updated: 2026-05-25T21:26:15.212Z

NVD

Status : Analyzed

Published: 2026-05-25T21:16:35.117

Modified: 2026-05-28T13:38:44.880

Link: CVE-2026-48589

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-28T15:00:13Z

Weaknesses

CWE-601
URL Redirection to Untrusted Site ('Open Redirect')

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction Active

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object