Medium severity6.5NVD Advisory· Published May 25, 2026· Updated May 28, 2026
CVE-2026-43828
CVE-2026-43828
Description
Default configurations of Apache Shiro send sensitive cookies in HTTPS session without 'Secure' attribute.
This issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1.
Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue.
In the affected versions, Shiro-native session manager, as well as Remember-Me manager sends JSESSIONID and rememberMe cookies without 'secure' attribute by default.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2Patches
Vulnerability mechanics
References
2- www.openwall.com/lists/oss-security/2026/05/25/7nvdMailing ListThird Party Advisory
- shiro.apache.org/security-reports.htmlnvdVendor Advisory
News mentions
1- Apache Ships 12 Patches Across 7 Projects: Shiro, Airflow, Syncope Lead the BatchVypr Intelligence · May 28, 2026