Home

Description

Default configurations of Apache Shiro send sensitive cookies in HTTPS session without 'Secure' attribute. This issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1. Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue. In the affected versions, Shiro-native session manager, as well as Remember-Me manager sends JSESSIONID and rememberMe cookies without 'secure' attribute by default.

PUBLISHED Reserved 2026-05-03 | Published 2026-05-25 | Updated 2026-05-26 | Assigner apache




MEDIUM: 5.9CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/AU:Y/R:U/RE:L/U:Amber

Problem types

CWE-614 Sensitive Cookie in HTTPS Session Without 'Secure' Attribute

Product status

Default status
unaffected

1.0 (semver)
affected

3.0.0-alpha-0 (semver)
affected

Credits

Meteor_Kai <1318723916@qq.com> finder

Lenny Primak <lenny@flowlogix.com> remediation developer

References

www.openwall.com/lists/oss-security/2026/05/25/7

shiro.apache.org/security-reports.html vendor-advisory

cve.org (CVE-2026-43828)

nvd.nist.gov (CVE-2026-43828)

Download JSON