CVE-2026-43828 MEDIUM

CVE-2026-43828: Apache Shiro: Shiro's native session and rememberMe cookies do not have secure flag set by default

Vendor Apache Software Foundation

Product Apache Shiro

Weakness CWE-614 · Cookie without Secure flag

Published May 25, 2026

Last update May 26, 2026

View on NVD All CVEs

CVSS base score

5.9/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/AU:Y/R:U/RE:L/U:Amber

What the vulnerability does

Description

Default configurations of Apache Shiro send sensitive cookies in HTTPS session without 'Secure' attribute. This issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1. Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue. In the affected versions, Shiro-native session manager, as well as Remember-Me manager sends JSESSIONID and rememberMe cookies without 'secure' attribute by default.

Key dates

Disclosure timeline

May 25, 2026 CVE published

May 26, 2026 Record updated

Identifiers

CVE CVE-2026-43828

CWE CWE-614

CVSS 5.9 / MEDIUM

Affected versions

Vendor Apache Software Foundation

Product Apache Shiro

Affected ≥ 1.0 and ≤ 2.1.0

Vendor Apache Software Foundation

Product Apache Shiro

Affected ≥ 3.0.0-alpha-0 and ≤ 3.0.0-alpha-1