CVE-2026-44598

UNKNOWN 0.0

Apache Shiro Jakarta EE module: Open redirect and SSRF (requires valid credentials)

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

With valid login credentials, URL Redirection to Untrusted Site ('Open Redirect'), Server-Side Request Forgery (SSRF) vulnerability in Apache Shiro. This issue affects Apache Shiro from 2.0-alpha to 2.1.0, and 3.0.0-alpha-1, only when using shiro-jakarta-ee integration module. Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue by encrypting the cookie. After successful login, Jakarta EE integration module uses shiroSavedRequest cookie to redirect to a particular web page after login. This cookie was not validated, and can be forged to send a HTTP GET request from the server itself to an arbitrary URL from the cookie.

CWE	CWE-601 CWE-918
Vendor	apache software foundation
Product	apache shiro jakarta ee module
Published	May 25, 2026
Last Updated	May 26, 2026

Stay Ahead of the Next One

Get instant alerts for apache software foundation apache shiro jakarta ee module

Be the first to know when new unknown vulnerabilities affecting apache software foundation apache shiro jakarta ee module are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Apache Software Foundation / Apache Shiro Jakarta EE module

2.0.0-alpha-0 ≤ 2.1.0 3.0.0-alpha-0 ≤ 3.0.0-alpha-1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

shiro.apache.org: https://shiro.apache.org/security-reports.html#cve_2026_44598 openwall.com: http://www.openwall.com/lists/oss-security/2026/05/25/8

Credits

James Love <[email protected]> Lenny Primak <[email protected]>