CVE-2026-43828

6.5 MEDIUM

Default configurations of Apache Shiro send sensitive cookies in HTTPS session without 'Secure' attribute

Published: 2026-05-25 · Last updated: 2026-05-28

Severity and scoring

CVSS: 6.5 MEDIUM
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
CWE: CWE-614

Affected products

Vendor	Product
apache	shiro

Description

Default configurations of Apache Shiro send sensitive cookies in HTTPS session without 'Secure' attribute. This issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1. Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue. In the affected versions, Shiro-native session manager, as well as Remember-Me manager sends JSESSIONID and rememberMe cookies without 'secure' attribute by default.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-43828
[Vendor advisory]https://shiro.apache.org/security-reports.html#cve_2026_43828
[Other]http://www.openwall.com/lists/oss-security/2026/05/25/7

Related CVEs

Same vendor

CVE-2026-34905 — Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Answer (6.5 MEDIUM)
CVE-2026-34031 — Unrestricted Upload of File with Dangerous Type vulnerability in Apache Answer (6.5 MEDIUM)
CVE-2026-33582 — Unrestricted Upload of File with Dangerous Type vulnerability in Apache Answer (6.5 MEDIUM)
CVE-2026-25699 — Exposure of Private Personal Information to an Unauthorized Actor vulnerability in Apache Answer (6.1 MEDIUM)
CVE-2026-25688 — Improper Neutralization of Alternate XSS Syntax vulnerability in Apache Answer (6.1 MEDIUM)

Same CWE

CVE-2026-46398 — HAX CMS helps manage microsite universe with PHP or NodeJs backends
CVE-2025-52608 — HCL iControl was affected by Missing Cookie Attributes vulnerability (3.1 LOW)
CVE-2026-41017 — Apache Airflow's `JWTRefreshMiddleware` set the JWT auth cookie without the `Secure` flag, so deployments running the Airflow API server ... (5.9 MEDIUM)