VYPR
Medium severity6.5NVD Advisory· Published May 25, 2026· Updated May 28, 2026

CVE-2026-43828

CVE-2026-43828

Description

Default configurations of Apache Shiro send sensitive cookies in HTTPS session without 'Secure' attribute.

This issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1.

Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue.

In the affected versions, Shiro-native session manager, as well as Remember-Me manager sends JSESSIONID and rememberMe cookies without 'secure' attribute by default.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Apache/Shiroinferred2 versions
    >=1.0,<=2.1.0+ 1 more
    • (no CPE)range: >=1.0,<=2.1.0
    • (no CPE)range: >=1.0, <=2.1.0, =3.0.0-alpha-1

Patches

Vulnerability mechanics

References

2

News mentions

1