Improper Input Validation in Apache Shiro's Jakarta EE Module
CVE-2026-48589

NONE

Key Information:

Vendor: Apache
Status: Apache Shiro
Vendor: CVE Published:; 25 May 2026

What is CVE-2026-48589?

The Jakarta EE module of Apache Shiro contains a vulnerability that allows an attacker to exploit improperly validated HTTP Referer headers. This can lead to unauthorized manipulation of redirect targets after user logins, potentially directing users to malicious sites. Affected versions include Apache Shiro from 2.0-alpha to 2.2.0 and 3.0.0-alpha-1 when using the shiro-jakarta-ee integration module, making it essential to apply necessary updates.

Affected Version(s)

Apache Shiro 2.0.0-alpha-0 <= 2.2.0

Apache Shiro 3.0.0-alpha-0 <= 3.0.0-alpha-1

References

https://shiro.apache.org/security-reports.html#cve_2026_4...

vendor-advisory

CVSS V4

Score:

Severity:

NONE

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 25, 2026
Vulnerability Reserved
May 22, 2026

Credit

Bartlomiej Dmitruk <bartek@striga.ai>

Lenny Primak <lenny@flowlogix.com>

CVE-2026-48589 Data

JSON