← All CVEs

CVE-2026-44598

MEDIUM 5.1

Published 2026-05-25 · Last modified 2026-05-26

With valid login credentials, URL Redirection to Untrusted Site ('Open Redirect'), Server-Side Request Forgery (SSRF) vulnerability in Apache Shiro. This issue affects Apache Shiro from 2.0-alpha to 2.1.0, and 3.0.0-alpha-1, only when using shiro-jakarta-ee integration module. Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue by encrypting the cookie. After successful login, Jakarta EE integration module uses shiroSavedRequest cookie to redirect to a particular web page after login. This cookie was not validated, and can be forged to send a HTTP GET request from the server itself to an arbitrary URL from the cookie.

NO EXPLOITATION SIGNALS

No known exploitation, public exploit, or elevated probability at this time. Track for changes.

Exploitation likelihood

0.4%chance of exploitation in 30 days · 30th percentile

○ In CISA KEV ○ Public exploit / PoC

Impact if exploited

5.1CVSS 4.0 · MEDIUM

  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityNone

What an attacker needs

  • Access: Reachable over the network — no local access needed
  • Privileges: Requires a low-privilege account
  • User interaction: Succeeds with passive user activity
  • Complexity: No special conditions — reliably repeatable
  • Requirements: No special attack requirements

✓ lowers the bar for an attacker · ⚠ raises it

Affected

Vendors Apache Software Foundation

Products Apache Shiro Jakarta Ee Module

Weakness (CWE)

  • CWE-601
  • CWE-918: Server-side request forgery (SSRF)

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/S:N/AU:Y/R:A/V:D/RE:L/U:Green

Sources: NVD · CVE.org · EPSS