CVE-2026-43828
Analyzed Analyzed - Analysis Complete
Session Cookie Missing Secure Attribute in Apache Shiro

Publication date: 2026-05-25

Last updated on: 2026-05-28

Assigner: Apache Software Foundation

Description
Default configurations of Apache Shiro send sensitive cookies in HTTPS session without 'Secure' attribute. This issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1. Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue. In the affected versions, Shiro-native session manager, as well as Remember-Me manager sends JSESSIONID and rememberMe cookies without 'secure' attribute by default.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-25
Last Modified
2026-05-28
Generated
2026-06-15
AI Q&A
2026-05-26
EPSS Evaluated
2026-06-14
NVD
CVE-2026-43828
EUVD
EUVD-2026-31734
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
apache shiro 3.0.0
apache shiro to 2.1.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-614 The Secure attribute for sensitive cookies in HTTPS sessions is not set.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability occurs because default configurations of Apache Shiro send sensitive cookies, specifically JSESSIONID and rememberMe cookies, in HTTPS sessions without the 'Secure' attribute.

Without the 'Secure' attribute, these cookies can be transmitted over unencrypted HTTP connections, potentially exposing them to interception by attackers.

The issue affects Apache Shiro versions from 1.0 to 2.1.0 and 3.0.0-alpha-1. It is fixed in versions 2.1.1 and 3.0.0-alpha-2 or later.

Impact Analysis

The vulnerability can lead to sensitive session cookies being exposed over insecure connections, increasing the risk of session hijacking.

An attacker who intercepts these cookies could impersonate a legitimate user, gaining unauthorized access to the user's session and potentially sensitive information.

Mitigation Strategies

To mitigate this vulnerability, users are recommended to upgrade Apache Shiro to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue.

Compliance Impact

The vulnerability involves Apache Shiro sending sensitive cookies in HTTPS sessions without the 'Secure' attribute by default. This can lead to the exposure of session cookies over insecure channels, potentially allowing attackers to hijack user sessions.

Such exposure of sensitive session information can negatively impact compliance with common data protection standards and regulations like GDPR and HIPAA, which require appropriate safeguards to protect personal and sensitive data during transmission.

Therefore, the vulnerability may increase the risk of non-compliance with these regulations due to insufficient protection of session cookies.

Detection Guidance

This vulnerability involves Apache Shiro sending sensitive cookies (JSESSIONID and rememberMe) over HTTPS without the 'Secure' attribute set by default in affected versions.

To detect this vulnerability on your network or system, you can inspect the cookies sent by your Apache Shiro application over HTTPS and check if the 'Secure' attribute is missing.

One way to do this is by using command-line tools like curl or browser developer tools to observe the Set-Cookie headers.

  • Use curl to make an HTTPS request and view the Set-Cookie headers: curl -I https://your-shiro-app.example.com
  • Look for Set-Cookie headers for JSESSIONID and rememberMe cookies and verify if the 'Secure' attribute is present.
  • Alternatively, use browser developer tools (Network tab) to inspect cookies set by the application during HTTPS sessions.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43828. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart