CVE-2026-44598 MEDIUM

CVE-2026-44598: Apache Shiro Jakarta EE module: Open redirect and SSRF (requires valid credentials)

Vendor Apache Software Foundation

Product Apache Shiro Jakarta EE module

Weakness CWE-601 · Open redirect

Published May 25, 2026

Last update May 26, 2026

View on NVD All CVEs

CVSS base score

5.1/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/S:N/AU:Y/R:A/V:D/RE:L/U:Green

What the vulnerability does

Description

With valid login credentials, URL Redirection to Untrusted Site ('Open Redirect'), Server-Side Request Forgery (SSRF) vulnerability in Apache Shiro. This issue affects Apache Shiro from 2.0-alpha to 2.1.0, and 3.0.0-alpha-1, only when using shiro-jakarta-ee integration module. Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue by encrypting the cookie. After successful login, Jakarta EE integration module uses shiroSavedRequest cookie to redirect to a particular web page after login. This cookie was not validated, and can be forged to send a HTTP GET request from the server itself to an arbitrary URL from the cookie.

Key dates

Disclosure timeline

May 25, 2026 CVE published

May 26, 2026 Record updated

Identifiers

CVE CVE-2026-44598

CWE CWE-601

CVSS 5.1 / MEDIUM

Affected versions

Vendor Apache Software Foundation

Product Apache Shiro Jakarta EE module

Affected ≥ 2.0.0-alpha-0 and ≤ 2.1.0

Vendor Apache Software Foundation

Product Apache Shiro Jakarta EE module

Affected ≥ 3.0.0-alpha-0 and ≤ 3.0.0-alpha-1