CVE-2026-53661 malach-it CVE debrief

Who should care

Users of Boruta authorization server versions prior to 0.9.1 should be aware of this vulnerability. Specifically, deployments where users could reach the same Boruta origin over plaintext HTTP are affected. The affected components include boruta_web, boruta_identity, and boruta_admin.

Technical summary

The issue was fixed in commit 18691c655164635066aa113003a3cd87f6ed11cd, released as part of version 0.9.1. The patch sets `secure: true` and `same_site: 'Lax'` on configured session cookies for boruta_web, boruta_identity, and boruta_admin, and sets `secure: true` on the identity remember-me cookie.

Defensive priority

HIGH

Recommended defensive actions

• Until upgrading to a release containing the fix, terminate or reject plaintext HTTP before requests reach Boruta.
• Enforce HTTPS-only access at the reverse proxy or load balancer.
• Enable HSTS for Boruta domains.
• If cookie exposure is suspected, rotate SECRET_KEY_BASE and BORUTA_SESSION_COOKIE_SIGNING_SALT, then require users to authenticate again.
• Upgrade to a version containing commit 18691c655164635066aa113003a3cd87f6ed11cd, or apply the patch manually.

Evidence notes

The CVE-2026-53661 vulnerability has a CVSS score of 8.8 and is classified as HIGH severity. The affected cookies include the shared session cookie (defaulting to _boruta_web_key) and the identity remember-me cookie (defaulting to _boruta_identity_web_user_remember_me).

Official resources