CVE-2026-48589 Apache Software Foundation CVE debrief

Who should care

Organizations running Apache Shiro with Jakarta EE integration in production environments; security teams responsible for authentication flow review; developers maintaining Shiro-based applications.

Technical summary

The shiro-jakarta-ee module uses the HTTP Referer header to determine redirect destinations after successful authentication. Because this header is attacker-controllable and insufficiently validated, applications may redirect users to arbitrary external URLs. The vulnerability is confined to the Jakarta EE integration module and does not affect core Shiro functionality or other integration modules.

Defensive priority

medium

Recommended defensive actions

• Review applications using Apache Shiro's shiro-jakarta-ee module for affected versions (2.0-alpha through 2.2.0, 3.0.0-alpha-1)
• Upgrade to a patched version of Apache Shiro when available from the Apache Shiro project
• Implement additional server-side validation of redirect destinations independent of the Referer header
• Configure web application firewalls to detect and block suspicious redirect patterns
• Audit authentication flows for reliance on client-controlled headers for redirect decisions

Evidence notes

CVE published 2026-05-25; modified 2026-05-26. Apache Shiro security advisory confirms affected versions and Jakarta EE module scope. CVSS 4.0 vector indicates network attack vector with low attack complexity, requiring low privileges and user interaction.

Official resources