CVE-2026-53661
Description
Boruta authorization server session and remember-me cookies lacked the Secure attribute, allowing potential session hijacking over plaintext HTTP.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Boruta authorization server session and remember-me cookies lacked the Secure attribute, allowing potential session hijacking over plaintext HTTP.
Vulnerability
Boruta session cookies (defaulting to _boruta_web_key) and the identity remember-me cookie (defaulting to _boruta_identity_web_user_remember_me) were set without the Secure attribute in versions up to and including 0.9.0, as well as unreleased builds before commit 18691c655164635066aa113003a3cd87f6ed11cd. The affected components are boruta_web, boruta_identity, and boruta_admin. [1]
Exploitation
An attacker who can observe or intercept network traffic over plaintext HTTP can recover a valid session or remember-me cookie if a user's browser sends these cookies over an unencrypted connection. This requires that the Boruta origin is reachable via HTTP and that the user's browser sends the cookies during an HTTP request. The attacker can then reuse the captured cookie to impersonate the affected user. [1]
Impact
Successful exploitation allows session hijacking for authenticated users, including administrative users. The attacker gains the ability to impersonate the victim, leading to unauthorized access to the Boruta authorization server and any protected resources. The issue does not allow forging cookies directly, but the practical risk depends on deployment topology, especially whether plaintext HTTP is exposed and whether HSTS is enforced. [1]
Mitigation
The fix is included in commit 18691c655164635066aa113003a3cd87f6ed11cd, released as part of version 0.9.1. The patch sets secure: true and same_site: "Lax" on configured session cookies for boruta_web, boruta_identity, and boruta_admin, and sets secure: true on the identity remember-me cookie. [1][2] Until upgrading, workarounds include terminating or rejecting plaintext HTTP before requests reach Boruta, enforcing HTTPS-only access at the reverse proxy or load balancer, enabling HSTS for Boruta domains, and rotating SECRET_KEY_BASE and BORUTA_SESSION_COOKIE_SIGNING_SALT if cookie exposure is suspected. [1]
AI Insight generated on Jun 11, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
118691c655164[security] require secure cookies
4 files changed · +10 −4
apps/boruta_admin/lib/boruta_admin_web/endpoint.ex+3 −1 modified@@ -39,7 +39,9 @@ defmodule BorutaAdminWeb.Endpoint do [ store: :cookie, key: endpoint_config[:session_cookie_key], - signing_salt: endpoint_config[:session_cookie_signing_salt] + signing_salt: endpoint_config[:session_cookie_signing_salt], + secure: true, + same_site: "Lax" ] end
apps/boruta_identity/lib/boruta_identity_web/concerns/authenticable.ex+1 −1 modified@@ -13,7 +13,7 @@ defmodule BorutaIdentityWeb.Authenticable do @session_key :user_token @max_age 60 * 60 * 24 * 60 @default_remember_me_cookie "_boruta_identity_web_user_remember_me" - @remember_me_options [sign: true, max_age: @max_age, same_site: "Lax"] + @remember_me_options [sign: true, max_age: @max_age, secure: true, same_site: "Lax"] @spec remember_me_cookie() :: String.t() def remember_me_cookie do
apps/boruta_identity/lib/boruta_identity_web/endpoint.ex+3 −1 modified@@ -39,7 +39,9 @@ defmodule BorutaIdentityWeb.Endpoint do [ store: :cookie, key: endpoint_config[:session_cookie_key], - signing_salt: endpoint_config[:session_cookie_signing_salt] + signing_salt: endpoint_config[:session_cookie_signing_salt], + secure: true, + same_site: "Lax" ] end
apps/boruta_web/lib/boruta_web/endpoint.ex+3 −1 modified@@ -52,7 +52,9 @@ defmodule BorutaWeb.Endpoint do [ store: :cookie, key: endpoint_config[:session_cookie_key], - signing_salt: endpoint_config[:session_cookie_signing_salt] + signing_salt: endpoint_config[:session_cookie_signing_salt], + secure: true, + same_site: "Lax" ] end
Vulnerability mechanics
Root cause
"Session and remember-me cookies were configured without the `Secure` attribute, allowing transmission over unencrypted HTTP connections."
Attack vector
An attacker on the same network as a user (e.g., on a public Wi-Fi) can passively intercept or actively capture HTTP traffic to the Boruta origin. Because the session cookie (default `_boruta_web_key`) and the identity remember-me cookie (default `_boruta_identity_web_user_remember_me`) lack the `Secure` flag, browsers will send them over unencrypted connections. The attacker recovers the cookie value and replays it to impersonate the victim.
Affected code
The vulnerability affects session cookie configuration in `boruta_admin/lib/boruta_admin_web/endpoint.ex`, `boruta_identity/lib/boruta_identity_web/endpoint.ex`, `boruta_web/lib/boruta_web/endpoint.ex`, and the remember-me cookie in `boruta_identity/lib/boruta_identity_web/concerns/authenticable.ex`. These files set session and remember-me cookies without the `Secure` attribute, allowing transmission over plaintext HTTP.
What the fix does
The patch adds `secure: true` and `same_site: "Lax"` to the session cookie configuration in all three endpoint modules (`boruta_admin`, `boruta_identity`, `boruta_web`), and adds `secure: true` to the remember-me cookie options in `Authenticable`. Setting `secure: true` instructs browsers to only send these cookies over HTTPS, preventing exposure over plaintext HTTP. The `same_site: "Lax"` attribute provides additional CSRF protection.
Preconditions
- networkThe Boruta server must be reachable over plaintext HTTP from the user's browser.
- networkThe attacker must be able to observe or intercept network traffic between the user and the Boruta origin.
Generated on Jun 11, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.