CVE-2026-43828

UNKNOWN 0.0

Apache Shiro: Shiro's native session and rememberMe cookies do not have secure flag set by default

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Default configurations of Apache Shiro send sensitive cookies in HTTPS session without 'Secure' attribute. This issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1. Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue. In the affected versions, Shiro-native session manager, as well as Remember-Me manager sends JSESSIONID and rememberMe cookies without 'secure' attribute by default.

CWE	CWE-614
Vendor	apache software foundation
Product	apache shiro
Published	May 25, 2026
Last Updated	May 26, 2026

Stay Ahead of the Next One

Get instant alerts for apache software foundation apache shiro

Be the first to know when new unknown vulnerabilities affecting apache software foundation apache shiro are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Apache Software Foundation / Apache Shiro

1.0 ≤ 2.1.0 3.0.0-alpha-0 ≤ 3.0.0-alpha-1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

shiro.apache.org: https://shiro.apache.org/security-reports.html#cve_2026_43828 openwall.com: http://www.openwall.com/lists/oss-security/2026/05/25/7

Credits

Meteor_Kai <[email protected]> Lenny Primak <[email protected]>