Sensitive Cookie Transmission Issue in Apache Shiro by The Apache Software Foundation
CVE-2026-43828

5.9MEDIUM

Key Information:

Vendor: Apache
Status: Apache Shiro
Vendor: CVE Published:; 25 May 2026

What is CVE-2026-43828?

The default configurations of Apache Shiro versions up to 2.1.0 and 3.0.0-alpha-1 transmit sensitive JSESSIONID and rememberMe cookies over HTTPS without the 'Secure' attribute. This misconfiguration can lead to potential exposure of session identifiers, putting user sessions at risk. Users are urged to upgrade to Apache Shiro 2.1.1 or 3.0.0-alpha-2 to mitigate these vulnerabilities and enhance security.

Affected Version(s)

Apache Shiro 1.0 <= 2.1.0

Apache Shiro 3.0.0-alpha-0 <= 3.0.0-alpha-1

References

https://shiro.apache.org/security-reports.html#cve_2026_4...

vendor-advisory

CVSS V4

Score:

5.9

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 25, 2026
Vulnerability Reserved
May 3, 2026

Credit

Meteor_Kai <1318723916@qq.com>

Lenny Primak <lenny@flowlogix.com>

CVE-2026-43828 Data

JSON