CVE-2026-48589
Analyzed Analyzed - Analysis Complete
Open Redirect in Apache Shiro Jakarta EE Module

Publication date: 2026-05-25

Last updated on: 2026-05-28

Assigner: Apache Software Foundation

Description
Apache Shiro’s Jakarta EE module used the HTTP Referer header in certain cases to issue redirect after a user login. In affected versions, insufficient validation of this client-controlled value could allow an attacker to influence the redirect target in applications using the Jakarta EE module. This issue affects Apache Shiro from 2.0-alpha to 2.2.0, and 3.0.0-alpha-1, only when using shiro-jakarta-ee integration module.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-25
Last Modified
2026-05-28
Generated
2026-06-15
AI Q&A
2026-05-26
EPSS Evaluated
2026-06-14
NVD
CVE-2026-48589
EUVD
EUVD-2026-31738
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
apache shiro 3.0.0
apache shiro From 2.0.0 (inc) to 2.2.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-601 The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Apache Shiro's Jakarta EE module, where the HTTP Referer header is used to determine the redirect target after a user login.

Because the Referer header is client-controlled and insufficiently validated in affected versions, an attacker could manipulate this header to influence where the application redirects the user after login.

This issue affects Apache Shiro versions from 2.0-alpha to 2.2.0 and 3.0.0-alpha-1, but only when using the shiro-jakarta-ee integration module.

Impact Analysis

An attacker exploiting this vulnerability could cause users to be redirected to arbitrary or malicious websites after login.

This could lead to phishing attacks, where users are tricked into providing sensitive information on fake sites, or other malicious activities leveraging the redirect.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48589. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart