CVE-2026-53661
Boruta is a standalone authorization server that aims to implement OAuth 2.0 and Openid Connect up to decentralized identity specifications
Published: 2026-06-11 · Last updated: 2026-06-11
Severity and scoring
- CWE
- CWE-614
Description
Boruta is a standalone authorization server that aims to implement OAuth 2.0 and Openid Connect up to decentralized identity specifications. Prior to version 0.9.1, boruta session cookies and the identity “remember me” cookie were set without the Secure attribute. In deployments where users could reach the same Boruta origin over plaintext HTTP, browsers could send these cookies over an unencrypted connection. An attacker able to observe or intercept that network traffic could recover a valid session or remember-me cookie and reuse it to impersonate the affected user. Affected components include boruta_web, boruta_identity, and boruta_admin. The affected cookies include the shared session cookie, defaulting to _boruta_web_key, and the identity remember-me cookie, defaulting to `_boruta_identity_web_user_remember_me`. The issue is fixed in commit 18691c655164635066aa113003a3cd87f6ed11cd, released as part of version 0.9.1. The patch sets `secure: true` and `same_site: "Lax"` on configured session cookies for boruta_web, boruta_identity, and boruta_admin, and sets `secure: true` on the identity remember-me cookie. Until upgrading to a release containing the fix: terminate or reject plaintext HTTP before requests reach Boruta; enforce HTTPS-only access at the reverse proxy or load balancer; enable HSTS for Boruta domains; if cookie exposure is suspected, rotate SECRET_KEY_BASE and BORUTA_SESSION_COOKIE_SIGNING_SALT, then require users to authenticate again. Upgrade to a version containing commit 18691c655164635066aa113003a3cd87f6ed11cd, or apply the patch manually. After deploying the fix, verify that Boruta session and remember-me cookies include the Secure attribute in browser developer tools or with an HTTP response inspection tool.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-53661
- [Other]https://github.com/malach-it/boruta-server/commit/18691c655164635066aa113003a3cd87f6ed11cd
- [Other]https://github.com/malach-it/boruta-server/security/advisories/GHSA-jqgm-pfg6-cr8r
- [Other]https://github.com/malach-it/boruta_auth/security/advisories/GHSA-7355-8c95-25pv
Related CVEs
Same CWE
- CVE-2026-11956 — A vulnerability was determined in TwiN gatus 5.36.0 (3.7 LOW)
- CVE-2026-46398 — HAX CMS helps manage microsite universe with PHP or NodeJs backends
- CVE-2025-52608 — HCL iControl was affected by Missing Cookie Attributes vulnerability (3.1 LOW)
- CVE-2026-41017 — Apache Airflow's `JWTRefreshMiddleware` set the JWT auth cookie without the `Secure` flag, so deployments running the Airflow API server ... (5.9 MEDIUM)
- CVE-2026-43828 — Default configurations of Apache Shiro send sensitive cookies in HTTPS session without 'Secure' attribute (6.5 MEDIUM)