PatchSiren cyber security CVE debrief

CVE-2026-44598 Apache Software Foundation CVE debrief

Apache Shiro's Jakarta EE integration module (shiro-jakarta-ee) contains an open redirect and server-side request forgery (SSRF) vulnerability in the shiroSavedRequest cookie handling. After successful authentication, this cookie is used to redirect users to a post-login destination, but the cookie value is neither validated nor encrypted. An attacker with valid login credentials can forge the cookie to cause the server to issue HTTP GET requests to arbitrary URLs, enabling SSRF, or redirect victims to untrusted sites. The vulnerability affects Shiro 2.0-alpha through 2.1.0 and 3.0.0-alpha-1. Apache released fixes in versions 2.1.1 and 3.0.0-alpha-2 by implementing cookie encryption.

Vendor: Apache Software Foundation
Product: Apache Shiro Jakarta EE module
CVSS: MEDIUM 5.1
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-05-25
Original CVE updated: 2026-05-26
Advisory published: 2026-05-25
Advisory updated: 2026-05-26

Who should care

Organizations running Apache Shiro 2.0-alpha through 2.1.0 or 3.0.0-alpha-1 with the shiro-jakarta-ee integration module enabled; security teams monitoring for SSRF and open redirect vulnerabilities in Java authentication frameworks; developers maintaining Shiro-based applications with custom authentication flows.

Technical summary

The shiro-jakarta-ee module uses a shiroSavedRequest cookie to store the post-login redirect URL. This cookie was transmitted without validation or cryptographic protection. An authenticated attacker can manipulate the cookie value to inject arbitrary URLs. Upon login completion, the server processes the cookie and issues an HTTP GET request to the attacker-controlled URL, resulting in SSRF. The same mechanism permits open redirect attacks if the forged URL is returned as a redirect response to the client. The fix encrypts the cookie to prevent tampering.

Defensive priority

medium

Recommended defensive actions

Upgrade Apache Shiro to version 2.1.1 or 3.0.0-alpha-2 or later if using the shiro-jakarta-ee integration module
Verify shiroSavedRequest cookie encryption is active after upgrade by reviewing server response headers and cookie attributes
Review access logs for anomalous outbound HTTP GET requests originating from the application server that may indicate pre-patch exploitation
If immediate patching is not feasible, consider implementing network egress filtering to restrict server-initiated HTTP requests to authorized destinations only
Audit authentication flows to ensure no custom implementations replicate the vulnerable cookie handling pattern

Evidence notes

Apache Shiro security advisory confirms the shiroSavedRequest cookie was unvalidated and forgeable, permitting arbitrary URL GET requests from the server. Fix implemented via cookie encryption in 2.1.1 and 3.0.0-alpha-2. CVSS 4.0 vector indicates network attack vector, low attack complexity, required privileges, and user interaction.

Official resources

CVE-2026-44598 CVE record
CVE.org
CVE-2026-44598 NVD detail
NVD
Source item URL
nvd_modified
Source reference
[email protected]
Source reference
af854a3a-2127-422b-91ae-364da2661108

2026-05-25T21:16:34.970Z