VYPR
← All advisories
Unrated severityNVD Advisory· Published May 25, 2026

Apache Shiro: Shiro's native session and rememberMe cookies do not have secure flag set by default

CVE-2026-43828

Description

Default configurations of Apache Shiro send sensitive cookies in HTTPS session without 'Secure' attribute.

This issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1.

Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue.

In the affected versions, Shiro-native session manager, as well as Remember-Me manager sends JSESSIONID and rememberMe cookies without 'secure' attribute by default.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Apache Shiro's default configuration sends session cookies without the Secure flag over HTTPS, exposing them to interception.

Vulnerability

Apache Shiro's native session manager and Remember-Me manager send JSESSIONID and rememberMe cookies without the Secure attribute by default. This affects versions 1.0 to 2.1.0 and 3.0.0-alpha-1 [1]. The Secure attribute ensures cookies are only transmitted over HTTPS, but it is missing in these configurations.

Exploitation

An attacker with network access (e.g., on a shared Wi-Fi or via man-in-the-middle) can intercept the unencrypted cookie if the connection is downgraded or if the user accesses a non-HTTPS page. No authentication is required; the attacker simply needs to capture the cookie during transmission.

Impact

Successful exploitation allows the attacker to hijack the user's session or remember-me token, leading to unauthorized access to the application as the victim. This compromises confidentiality and integrity of user data and actions.

Mitigation

Upgrade to Apache Shiro 2.1.1 or 3.0.0-alpha-2 or later, which include the Secure attribute by default [1]. Alternatively, manually configure the Secure attribute on cookies in the application's configuration. No other workarounds are mentioned in the available references.

References
  1. Security Reports | Apache Shiro

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Apache/Shiroinferred2 versions
    >=1.0,<=2.1.0+ 1 more
    • (no CPE)range: >=1.0,<=2.1.0
    • (no CPE)range: >=1.0, <=2.1.0 or =3.0.0-alpha-1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

1

News mentions

0

No linked articles in our index yet.