Description
Apache Shiro’s Jakarta EE module used the HTTP Referer header in certain cases to issue redirect after a user login.
In affected versions, insufficient validation of this client-controlled value could allow an attacker to influence the redirect target in applications using the Jakarta EE module.
This issue affects Apache Shiro from 2.0-alpha to 2.2.0, and 3.0.0-alpha-1, only when using shiro-jakarta-ee integration module.
Published: 2026-05-25
Score: 0 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Apache Shiro’s Jakarta EE integration module uses the HTTP Referer header after a user logs in to determine where to redirect. Because the value is not validated, an attacker can supply a crafted Referer header so that after login the user is redirected to an arbitrary site. This open redirect weakness (CWE-601) can be used to conduct phishing attacks, drive malicious traffic, or obscure the path of user navigation. The vulnerability allows the attacker to influence the redirect target only after the user authenticates, giving the false impression of legitimate service flow.

Affected Systems

Apache Shiro from the Apache Software Foundation is vulnerable in versions 2.0-alpha through 2.2.0 and in 3.0.0-alpha-1, but only when the shiro-jakarta-ee integration module is in use.

Risk and Exploitability

The EPSS score is not available and the vulnerability is not listed in CISA’s KEV catalog, so the public exploitation likelihood is unclear. The attack vector requires sending a login request with a manipulated Referer header; successful exploitation would redirect the authenticated user to a site chosen by the attacker. Because the flaw is an open redirect, the impact is limited to user‑experience and phishing rather than direct code execution or data theft.

Generated by OpenCVE AI on May 25, 2026 at 21:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Apache Shiro to a release that includes the fix for the Jakarta EE redirect issue.
  • If an immediate update is not possible, disable the shiro-jakarta-ee integration module.
  • Remove or modify the post‑login redirect logic that reads the Referer header.
  • Verify that any custom redirect handlers perform proper sanitization or whitelist validation before redirecting user traffic.

Generated by OpenCVE AI on May 25, 2026 at 21:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 25 May 2026 20:45:00 +0000

Type Values Removed Values Added
Description Apache Shiro’s Jakarta EE module used the HTTP Referer header in certain cases to issue redirect after a user login. In affected versions, insufficient validation of this client-controlled value could allow an attacker to influence the redirect target in applications using the Jakarta EE module. This issue affects Apache Shiro from 2.0-alpha to 2.2.0, and 3.0.0-alpha-1, only when using shiro-jakarta-ee integration module.
Title Apache Shiro: Jakarta EE open redirect via untrusted Referer in post-login redirect flow
Weaknesses CWE-601
References
Metrics cvssV4_0

{'score': 0, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N/S:N/AU:Y/R:A/V:D/U:Green'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-05-25T21:26:15.212Z

Reserved: 2026-05-22T00:31:53.177Z

Link: CVE-2026-48589

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-25T22:00:13Z

Weaknesses