CVE-2026-44598
Analyzed Analyzed - Analysis Complete

Open Redirect via ShiroSavedRequest Cookie in Apache Shiro

Vulnerability report for CVE-2026-44598, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-05-25

Last updated on: 2026-05-28

Assigner: Apache Software Foundation

Description

With valid login credentials, URL Redirection to Untrusted Site ('Open Redirect'), Server-Side Request Forgery (SSRF) vulnerability in Apache Shiro. This issue affects Apache Shiro from 2.0-alpha to 2.1.0, and 3.0.0-alpha-1,Β only when using shiro-jakarta-ee integration module. Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue by encrypting the cookie. After successful login, Jakarta EE integration module uses shiroSavedRequest cookie to redirect to a particular web page after login. This cookie was not validated, and can be forged to send a HTTP GET request from the server itself to an arbitrary URL from the cookie.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-05-25
Last Modified
2026-05-28
Generated
2026-07-06
AI Q&A
2026-05-26
EPSS Evaluated
2026-07-04
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
apache shiro 3.0.0
apache shiro From 2.0.0 (inc) to 2.1.1 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-601 The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in Apache Shiro's Jakarta EE integration module versions from 2.0-alpha to 2.1.0 and 3.0.0-alpha-1. After a user logs in successfully, the module uses a cookie named shiroSavedRequest to redirect the user to a specific web page.

The issue is that this cookie was not properly validated and could be forged by an attacker. This allows an attacker with valid login credentials to manipulate the cookie to cause the server to send an HTTP GET request to an arbitrary URL specified in the cookie.

This behavior leads to two main vulnerabilities: an Open Redirect, where users can be redirected to untrusted sites, and Server-Side Request Forgery (SSRF), where the server itself makes unintended requests to arbitrary URLs.

Impact Analysis

The vulnerability can impact you by allowing attackers with valid login credentials to redirect users to malicious or untrusted websites, potentially leading to phishing or other social engineering attacks.

Additionally, the Server-Side Request Forgery (SSRF) aspect means that attackers can make the server send HTTP requests to arbitrary URLs, which could be used to access internal systems, scan internal networks, or exploit other vulnerabilities within the server's network environment.

Mitigation Strategies

Users are recommended to upgrade Apache Shiro to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue by encrypting the cookie.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44598. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart