PatchSiren cyber security CVE debrief

CVE-2026-43828 Apache Software Foundation CVE debrief

Apache Shiro versions 1.0 through 2.1.0 and 3.0.0-alpha-1 fail to set the 'Secure' attribute on sensitive session cookies (JSESSIONID) and Remember-Me cookies by default. When applications are deployed over HTTPS, this omission allows browsers to transmit these cookies over unencrypted HTTP connections if available, exposing session identifiers to potential interception. The vulnerability stems from default configuration rather than implementation flaws, affecting Shiro's native session manager and Remember-Me functionality. The CVSS 4.0 vector indicates network attack vector with low attack complexity, requiring user interaction and partial attacker positioning, with high confidentiality impact on victim data but no direct integrity or availability impact.

Vendor: Apache Software Foundation
Product: Apache Shiro
CVSS: MEDIUM 5.9
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-05-25
Original CVE updated: 2026-05-26
Advisory published: 2026-05-25
Advisory updated: 2026-05-26

Who should care

Organizations running Apache Shiro 1.0-2.1.0 or 3.0.0-alpha-1 with HTTPS deployments; security teams responsible for session management hardening; developers configuring Shiro-based authentication

Technical summary

The vulnerability exists in Shiro's default Cookie configuration where the 'secure' property is not enabled by default. When applications operate over HTTPS, browsers should only transmit cookies marked with the Secure attribute over encrypted channels. Without this attribute, if an application is accessible via both HTTP and HTTPS, or if a user is directed to an HTTP endpoint, the session cookie may be transmitted in cleartext. This is classified under CWE-614 (Sensitive Cookie in HTTPS Session Without 'Secure' Attribute). The fix in versions 2.1.1 and 3.0.0-alpha-2 changes default behavior to set the Secure attribute appropriately.

Defensive priority

medium

Recommended defensive actions

Upgrade Apache Shiro to version 2.1.1 or 3.0.0-alpha-2 or later per vendor guidance
If immediate upgrade is not feasible, configure Shiro's Cookie class to set secure=true explicitly for session and Remember-Me cookies
Verify cookie security attributes using browser developer tools or HTTP inspection
Review application deployment to ensure HTTPS-only access where session cookies are used
Audit existing session management configurations for hardcoded insecure cookie settings

Evidence notes

Official Apache Shiro security advisory confirms affected versions and fix releases. NVD entry undergoing analysis as of source capture.

Official resources

CVE-2026-43828 CVE record
CVE.org
CVE-2026-43828 NVD detail
NVD
Source item URL
nvd_modified
Source reference
[email protected]
Source reference
af854a3a-2127-422b-91ae-364da2661108

Disclosed 2026-05-25 via Apache Shiro security reports and oss-security mailing list. CVE modified 2026-05-26.