VYPR
← All advisories
Unrated severityNVD Advisory· Published May 25, 2026

Apache Shiro Jakarta EE module: Open redirect and SSRF (requires valid credentials)

CVE-2026-44598

Description

With valid login credentials, URL Redirection to Untrusted Site ('Open Redirect'), Server-Side Request Forgery (SSRF) vulnerability in Apache Shiro.

This issue affects Apache Shiro from 2.0-alpha to 2.1.0, and 3.0.0-alpha-1, only when using shiro-jakarta-ee integration module.

Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue by encrypting the cookie.

After successful login, Jakarta EE integration module uses shiroSavedRequest cookie to redirect to a particular web page after login. This cookie was not validated, and can be forged to send a HTTP GET request from the server itself to an arbitrary URL from the cookie.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Apache Shiro Jakarta EE module has an open redirect and SSRF via an unvalidated cookie, fixed in 2.1.1 and 3.0.0-alpha-2.

Vulnerability

Apache Shiro versions 2.0-alpha through 2.1.0 and 3.0.0-alpha-1, when using the shiro-jakarta-ee integration module, have an open redirect and Server-Side Request Forgery (SSRF) vulnerability [1]. After a successful login, the Jakarta EE module uses an unencrypted and unvalidated shiroSavedRequest cookie to determine the redirect target [1].

Exploitation

An attacker needs valid login credentials to authenticate to the application [1]. After authentication, they can forge the shiroSavedRequest cookie value to point to an arbitrary URL [1]. The server then processes this cookie and sends an HTTP GET request from the server to the attacker-chosen URL [1].

Impact

Successful exploitation yields two outcomes: an open redirect that can be used for phishing, and a Server-Side Request Forgery (SSRF) that allows the attacker to make the server send HTTP GET requests to internal or external systems [1]. The attacker can leverage the SSRF to probe internal network services, access cloud metadata endpoints, or gather information that should not be accessible externally [1].

Mitigation

Upgrade to Apache Shiro version 2.1.1 or 3.0.0-alpha-2 or later, which encrypts the shiroSavedRequest cookie to prevent tampering [1]. No workaround is available for unpatched versions [1].

References
  1. Security Reports | Apache Shiro

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Apache/Shiroinferred2 versions
    >=2.0-alpha,<=2.1.0||=3.0.0-alpha-1+ 1 more
    • (no CPE)range: >=2.0-alpha,<=2.1.0||=3.0.0-alpha-1
    • (no CPE)range: >=2.0-alpha, <=2.1.0, =3.0.0-alpha-1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

1

News mentions

0

No linked articles in our index yet.