CVE-2026-44598
Received Received - Intake
BaseFortify

Publication date: 2026-05-25

Last updated on: 2026-05-25

Assigner: Apache Software Foundation

Description
With valid login credentials, URL Redirection to Untrusted Site ('Open Redirect'), Server-Side Request Forgery (SSRF) vulnerability in Apache Shiro. This issue affects Apache Shiro from 2.0-alpha to 2.1.0, and 3.0.0-alpha-1,Β only when using shiro-jakarta-ee integration module. Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue by encrypting the cookie. After successful login, Jakarta EE integration module uses shiroSavedRequest cookie to redirect to a particular web page after login. This cookie was not validated, and can be forged to send a HTTP GET request from the server itself to an arbitrary URL from the cookie.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-25
Last Modified
2026-05-25
Generated
2026-05-26
AI Q&A
2026-05-26
EPSS Evaluated
N/A
NVD
CVE-2026-44598
EUVD
EUVD-2026-31739
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
apache shiro From 2.0-alpha (inc) to 2.1.1 (exc)
apache shiro to 2.1.1 (exc)
apache shiro to 3.0.0-alpha-2 (exc)
apache shiro 2.1.1
apache shiro 3.0.0-alpha-2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
CWE-601 The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in Apache Shiro's Jakarta EE integration module versions from 2.0-alpha to 2.1.0 and 3.0.0-alpha-1. After a user logs in successfully, the module uses a cookie named shiroSavedRequest to redirect the user to a specific web page.

The issue is that this cookie was not properly validated and could be forged by an attacker. This allows an attacker with valid login credentials to manipulate the cookie to cause the server to send an HTTP GET request to an arbitrary URL specified in the cookie.

This behavior leads to two main vulnerabilities: an Open Redirect, where users can be redirected to untrusted sites, and Server-Side Request Forgery (SSRF), where the server itself makes unintended requests to arbitrary URLs.


How can this vulnerability impact me? :

The vulnerability can impact you by allowing attackers with valid login credentials to redirect users to malicious or untrusted websites, potentially leading to phishing or other social engineering attacks.

Additionally, the Server-Side Request Forgery (SSRF) aspect means that attackers can make the server send HTTP requests to arbitrary URLs, which could be used to access internal systems, scan internal networks, or exploit other vulnerabilities within the server's network environment.


What immediate steps should I take to mitigate this vulnerability?

Users are recommended to upgrade Apache Shiro to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue by encrypting the cookie.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart