CVE-2026-44598
Analyzed Analyzed - Analysis Complete
Open Redirect via ShiroSavedRequest Cookie in Apache Shiro

Publication date: 2026-05-25

Last updated on: 2026-05-28

Assigner: Apache Software Foundation

Description
With valid login credentials, URL Redirection to Untrusted Site ('Open Redirect'), Server-Side Request Forgery (SSRF) vulnerability in Apache Shiro. This issue affects Apache Shiro from 2.0-alpha to 2.1.0, and 3.0.0-alpha-1,Β only when using shiro-jakarta-ee integration module. Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue by encrypting the cookie. After successful login, Jakarta EE integration module uses shiroSavedRequest cookie to redirect to a particular web page after login. This cookie was not validated, and can be forged to send a HTTP GET request from the server itself to an arbitrary URL from the cookie.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-25
Last Modified
2026-05-28
Generated
2026-06-15
AI Q&A
2026-05-26
EPSS Evaluated
2026-06-14
NVD
CVE-2026-44598
EUVD
EUVD-2026-31739
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
apache shiro 3.0.0
apache shiro From 2.0.0 (inc) to 2.1.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
CWE-601 The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Apache Shiro's Jakarta EE integration module versions from 2.0-alpha to 2.1.0 and 3.0.0-alpha-1. After a user logs in successfully, the module uses a cookie named shiroSavedRequest to redirect the user to a specific web page.

The issue is that this cookie was not properly validated and could be forged by an attacker. This allows an attacker with valid login credentials to manipulate the cookie to cause the server to send an HTTP GET request to an arbitrary URL specified in the cookie.

This behavior leads to two main vulnerabilities: an Open Redirect, where users can be redirected to untrusted sites, and Server-Side Request Forgery (SSRF), where the server itself makes unintended requests to arbitrary URLs.

Impact Analysis

The vulnerability can impact you by allowing attackers with valid login credentials to redirect users to malicious or untrusted websites, potentially leading to phishing or other social engineering attacks.

Additionally, the Server-Side Request Forgery (SSRF) aspect means that attackers can make the server send HTTP requests to arbitrary URLs, which could be used to access internal systems, scan internal networks, or exploit other vulnerabilities within the server's network environment.

Mitigation Strategies

Users are recommended to upgrade Apache Shiro to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue by encrypting the cookie.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44598. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart