CVE-2026-48589
Open Redirect in Apache Shiro Jakarta EE Module
Publication date: 2026-05-25
Last updated on: 2026-05-25
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | shiro | From 2.0-alpha (inc) to 2.2.0 (inc) |
| apache | shiro | 3.0.0-alpha-1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-601 | The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Apache Shiro's Jakarta EE module, where the HTTP Referer header is used to determine the redirect target after a user login.
Because the Referer header is client-controlled and insufficiently validated in affected versions, an attacker could manipulate this header to influence where the application redirects the user after login.
This issue affects Apache Shiro versions from 2.0-alpha to 2.2.0 and 3.0.0-alpha-1, but only when using the shiro-jakarta-ee integration module.
How can this vulnerability impact me? :
An attacker exploiting this vulnerability could cause users to be redirected to arbitrary or malicious websites after login.
This could lead to phishing attacks, where users are tricked into providing sensitive information on fake sites, or other malicious activities leveraging the redirect.