CVE-2026-48589

UNKNOWN 0.0

Apache Shiro: Jakarta EE open redirect via untrusted Referer in post-login redirect flow

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Apache Shiro’s Jakarta EE module used the HTTP Referer header in certain cases to issue redirect after a user login. In affected versions, insufficient validation of this client-controlled value could allow an attacker to influence the redirect target in applications using the Jakarta EE module. This issue affects Apache Shiro from 2.0-alpha to 2.2.0, and 3.0.0-alpha-1, only when using shiro-jakarta-ee integration module.

CWE	CWE-601
Vendor	apache software foundation
Product	apache shiro
Published	May 25, 2026
Last Updated	May 26, 2026

Stay Ahead of the Next One

Get instant alerts for apache software foundation apache shiro

Be the first to know when new unknown vulnerabilities affecting apache software foundation apache shiro are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Apache Software Foundation / Apache Shiro

2.0.0-alpha-0 ≤ 2.2.0 3.0.0-alpha-0 ≤ 3.0.0-alpha-1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

shiro.apache.org: https://shiro.apache.org/security-reports.html#cve_2026_48589 openwall.com: http://www.openwall.com/lists/oss-security/2026/05/25/9

Credits

Bartlomiej Dmitruk <[email protected]> Lenny Primak <[email protected]>