Description
Boruta is a standalone authorization server that aims to implement OAuth 2.0 and Openid Connect up to decentralized identity specifications. Prior to version 0.9.1, boruta session cookies and the identity “remember me” cookie were set without the Secure attribute. In deployments where users could reach the same Boruta origin over plaintext HTTP, browsers could send these cookies over an unencrypted connection. An attacker able to observe or intercept that network traffic could recover a valid session or remember-me cookie and reuse it to impersonate the affected user. Affected components include boruta_web, boruta_identity, and boruta_admin. The affected cookies include the shared session cookie, defaulting to _boruta_web_key, and the identity remember-me cookie, defaulting to `_boruta_identity_web_user_remember_me`. The issue is fixed in commit 18691c655164635066aa113003a3cd87f6ed11cd, released as part of version 0.9.1. The patch sets `secure: true` and `same_site: "Lax"` on configured session cookies for boruta_web, boruta_identity, and boruta_admin, and sets `secure: true` on the identity remember-me cookie. Until upgrading to a release containing the fix: terminate or reject plaintext HTTP before requests reach Boruta; enforce HTTPS-only access at the reverse proxy or load balancer; enable HSTS for Boruta domains; if cookie exposure is suspected, rotate SECRET_KEY_BASE and BORUTA_SESSION_COOKIE_SIGNING_SALT, then require users to authenticate again. Upgrade to a version containing commit 18691c655164635066aa113003a3cd87f6ed11cd, or apply the patch manually. After deploying the fix, verify that Boruta session and remember-me cookies include the Secure attribute in browser developer tools or with an HTTP response inspection tool.
Published: 2026-06-11
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Boruta servers set session and remember‑me cookies without the Secure flag prior to version 0.9.1, exposing them to interception on insecure HTTP connections. An attacker who can observe this traffic can capture a valid authentication token and impersonate the original user, leading to unauthorized access and potentially full account compromise. The weakness corresponds to CWE‑614, which covers vulnerabilities that allow session hijacking or session fixation.

Affected Systems

The affected components are part of the Malach‑IT Boruta Server suite, specifically boruta_web, boruta_identity, and boruta_admin. All releases before 0.9.1 are vulnerable, while version 0.9.1 and later include the fix that sets the Secure flag on relevant cookies.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity. Although the EPSS score is not listed, the lack of a Secure cookie on a plaintext HTTP endpoint creates a clear attack path. An attacker with network visibility can intercept the cookie during an HTTP session, and because the session cookie is otherwise valid, it can be reused without further authentication steps. The vulnerability is not listed in CISA’s KEV catalog, but the high CVSS score and user‑session takeover potential warrant urgent attention.

Generated by OpenCVE AI on June 11, 2026 at 20:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Boruta version 0.9.1 or newer, which sets the Secure flag on all session and remember‑me cookies.
  • Ensure that all connections to the Boruta origin are HTTPS‑only; configure reverse proxies or load balancers to reject or terminate plaintext HTTP requests.
  • Enable HTTP Strict Transport Security (HSTS) for all Boruta domains to enforce secure connections at the browser level.
  • If cookie exposure is suspected, rotate the SECRET_KEY_BASE and BORUTA_SESSION_COOKIE_SIGNING_SALT values and require affected users to re‑authenticate.

Generated by OpenCVE AI on June 11, 2026 at 20:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 11 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 11 Jun 2026 14:15:00 +0000

Type Values Removed Values Added
Description Boruta is a standalone authorization server that aims to implement OAuth 2.0 and Openid Connect up to decentralized identity specifications. Prior to version 0.9.1, boruta session cookies and the identity “remember me” cookie were set without the Secure attribute. In deployments where users could reach the same Boruta origin over plaintext HTTP, browsers could send these cookies over an unencrypted connection. An attacker able to observe or intercept that network traffic could recover a valid session or remember-me cookie and reuse it to impersonate the affected user. Affected components include boruta_web, boruta_identity, and boruta_admin. The affected cookies include the shared session cookie, defaulting to _boruta_web_key, and the identity remember-me cookie, defaulting to `_boruta_identity_web_user_remember_me`. The issue is fixed in commit 18691c655164635066aa113003a3cd87f6ed11cd, released as part of version 0.9.1. The patch sets `secure: true` and `same_site: "Lax"` on configured session cookies for boruta_web, boruta_identity, and boruta_admin, and sets `secure: true` on the identity remember-me cookie. Until upgrading to a release containing the fix: terminate or reject plaintext HTTP before requests reach Boruta; enforce HTTPS-only access at the reverse proxy or load balancer; enable HSTS for Boruta domains; if cookie exposure is suspected, rotate SECRET_KEY_BASE and BORUTA_SESSION_COOKIE_SIGNING_SALT, then require users to authenticate again. Upgrade to a version containing commit 18691c655164635066aa113003a3cd87f6ed11cd, or apply the patch manually. After deploying the fix, verify that Boruta session and remember-me cookies include the Secure attribute in browser developer tools or with an HTTP response inspection tool.
Title boruta-server sent sensitive session cookies without the Secure attribute
Weaknesses CWE-614
References
Metrics cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-11T14:25:46.528Z

Reserved: 2026-06-09T20:50:36.877Z

Link: CVE-2026-53661

cve-icon Vulnrichment

Updated: 2026-06-11T14:25:36.259Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-11T14:16:31.213

Modified: 2026-06-11T15:34:11.757

Link: CVE-2026-53661

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-11T20:45:10Z

Weaknesses
  • CWE-614

    Sensitive Cookie in HTTPS Session Without 'Secure' Attribute