VYPR
← All advisories
Unrated severityNVD Advisory· Published May 25, 2026

Apache Shiro: Jakarta EE open redirect via untrusted Referer in post-login redirect flow

CVE-2026-48589

Description

Apache Shiro’s Jakarta EE module used the HTTP Referer header in certain cases to issue redirect after a user login. In affected versions, insufficient validation of this client-controlled value could allow an attacker to influence the redirect target in applications using the Jakarta EE module. This issue affects Apache Shiro from 2.0-alpha to 2.2.0, and 3.0.0-alpha-1, only when using shiro-jakarta-ee integration module.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Apache Shiro's Jakarta EE module fails to validate the HTTP Referer header, allowing an attacker-controlled open redirect after login.

Vulnerability

In Apache Shiro versions 2.0-alpha to 2.2.0 and 3.0.0-alpha-1, the Jakarta EE integration module (shiro-jakarta-ee) uses the HTTP Referer header to determine the redirect target after a user login. The module does not properly validate this client-controlled value, allowing an attacker to supply an arbitrary redirect URL [1].

Exploitation

An attacker can craft a login request with a malicious Referer header pointing to an external site. When a user successfully authenticates, the application will redirect the browser to the attacker-specified URL. No authentication or special network position is required beyond influencing the victim's browser to send the crafted request [1].

Impact

Successful exploitation results in an open redirect, which can be used for phishing attacks, credential harvesting, or to bypass application-level access controls by redirecting users to a trusted-appearing external domain [1].

Mitigation

Upgrade to Apache Shiro version 2.2.1 or 3.0.0-alpha-2 or later. The fix validates the Referer header and restricts redirects to relative paths within the current application context. No workaround is available for affected versions [1].

References
  1. Security Reports | Apache Shiro

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Apache/Shiroinferred2 versions
    >=2.0-alpha,<=2.2.0+ 1 more
    • (no CPE)range: >=2.0-alpha,<=2.2.0
    • (no CPE)range: >= 2.0-alpha <= 2.2.0, also 3.0.0-alpha-1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

1

News mentions

0

No linked articles in our index yet.