MEDIUM

GHSA-wpqm-4gwx-w843

Apache Shiro Vulnerable to Open Redirect, Server-Side Request Forgery

Details

With valid login credentials, URL Redirection to Untrusted Site ('Open Redirect'), Server-Side Request Forgery (SSRF) vulnerability in Apache Shiro.

This issue affects Apache Shiro from 2.0-alpha to 2.1.0, and 3.0.0-alpha-1, only when using shiro-jakarta-ee integration module.

Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue by encrypting the cookie.

After successful login, Jakarta EE integration module uses shiroSavedRequest cookie to redirect to a particular web page after login. This cookie was not validated, and can be forged to send a HTTP GET request from the server itself to an arbitrary URL from the cookie.

Are you affected?

Enter the version of the package you're using.

Affected packages

Maven / org.apache.shiro:shiro-jakarta-ee

Introduced in: 2.0.0-alpha-0 Fixed in: 2.2.0

Fix # pom.xml: bump <version>2.2.0</version> for org.apache.shiro:shiro-jakarta-ee

Maven / org.apache.shiro:shiro-jakarta-ee

Introduced in: 3.0.0-alpha-1 Fixed in: 3.0.0-alpha-2

Fix # pom.xml: bump <version>3.0.0-alpha-2</version> for org.apache.shiro:shiro-jakarta-ee

References

https://nvd.nist.gov/vuln/detail/CVE-2026-44598 [ADVISORY]
https://github.com/apache/shiro [PACKAGE]
https://shiro.apache.org/security-reports.html#cve_2026_44598 [WEB]
http://www.openwall.com/lists/oss-security/2026/05/25/8 [WEB]