Open Redirect and SSRF Vulnerability in Apache Shiro by Apache
CVE-2026-44598

5.1MEDIUM

Key Information:

Vendor: Apache
Status: Apache Shiro Jakarta Ee Module
Vendor: CVE Published:; 25 May 2026

What is CVE-2026-44598?

An identified vulnerability in Apache Shiro allows a logged-in user to exploit the shiroSavedRequest cookie, which is not properly validated. This flaw facilitates unauthorized redirection to an arbitrary URL, potentially leading to Server-Side Request Forgery (SSRF). It is crucial for users utilizing the shiro-jakarta-ee integration module to upgrade to version 2.1.1 or 3.0.0-alpha-2 to ensure that the cookie is encrypted and the vulnerability is mitigated.

Affected Version(s)

Apache Shiro Jakarta EE module 2.0.0-alpha-0 <= 2.1.0

Apache Shiro Jakarta EE module 3.0.0-alpha-0 <= 3.0.0-alpha-1

References

https://shiro.apache.org/security-reports.html#cve_2026_4...

vendor-advisory

CVSS V4

Score:

5.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 25, 2026
Vulnerability Reserved
May 7, 2026

Credit

James Love <jameslove2k22@gmail.com>

Lenny Primak <lenny@flowlogix.com>

CVE-2026-44598 Data

JSON