CVE-2026-43828— Apache Shiro: Shiro's native session and rememberMe cookies do not have secure flag set by default
Possible ATT&CK Techniques 1AI
T1557.001 · Name Resolution Poisoning and SMB RelayAffected Version Matrix 2
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Apache Software Foundation | Apache Shiro | 1.0≤ 2.1.0 | affected |
3.0.0-alpha-0≤ 3.0.0-alpha-1 | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-43828
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Apache Shiro: Shiro's native session and rememberMe cookies do not have secure flag set by default
Source: NVD (National Vulnerability Database)
Vulnerability Description
Default configurations of Apache Shiro send sensitive cookies in HTTPS session without 'Secure' attribute. This issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1. Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue. In the affected versions, Shiro-native session manager, as well as Remember-Me manager sends JSESSIONID and rememberMe cookies without 'secure' attribute by default.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
HTTPS会话中未设置’Secure’属性的敏感Cookie
Source: NVD (National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Apache Software Foundation | Apache Shiro | 1.0 ~ 2.1.0 | - |
II. Public POCs for CVE-2026-43828
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-43828
请登录查看更多情报信息。
Vendor Advisories for CVE-2026-43828 (1)
- 🔗 Security Reports | Apache Shirovendor-advisory
Same Patch Batch · Apache Software Foundation · 2026-05-25 · 9 CVEs total
| CVE-2026-48589 | Apache Shiro: Jakarta EE open redirect via untrusted Referer in post-login redirect flow | |
| CVE-2026-44598 | Apache Shiro Jakarta EE module: Open redirect and SSRF (requires valid credentials) | |
| CVE-2026-43827 | Apache Shiro: Session fixation: new session is not created after login by default | |
| CVE-2026-42797 | Apache Syncope: JexlContextBuilder Information Disclosure | |
| CVE-2026-42782 | Apache Syncope: Post-auth RCE via Groovy static | |
| CVE-2026-46745 | Apache Airflow FAB provider: LDAP Filter Injection in FAB Auth Manager _search_ldap reacha | |
| CVE-2026-45361 | Apache Airflow Google provider: SSH host key verification disabled in ComputeEngineSSHHook | |
| CVE-2026-45249 | Apache ECharts: XSS in Lines series tooltip rendering |
IV. Related Vulnerabilities
Same product: Apache Shiro
- CVE-2026-48589
Apache Shiro: Jakarta EE open redirect via untrusted Referer - CVE-2026-43827
Apache Shiro: Session fixation: new session is not created a - CVE-2026-23901
Apache Shiro: Brute force attack possible to determine valid - CVE-2026-23903
Apache Shiro: Auth bypass when accessing static files only o - CVE-2023-46749
Apache Shiro before 1.13.0 or 2.0.0-alpha-4, may be suscepti
Same vendor: Apache Software Foundation
- CVE-2026-40564
Apache Flink Kubernetes Operator: Server-Side Request Forger - CVE-2026-48589
Apache Shiro: Jakarta EE open redirect via untrusted Referer - CVE-2026-44598
Apache Shiro Jakarta EE module: Open redirect and SSRF (requ - CVE-2026-43827
Apache Shiro: Session fixation: new session is not created a - CVE-2026-42797
Apache Syncope: JexlContextBuilder Information Disclosure
Same weakness: CWE-614
- CVE-2026-22617
Eaton Intelligent Power Protector 安全漏洞 - CVE-2026-4820
IBM Maximo Application Suite was vulnerable to because Cooki - CVE-2026-32745
JetBrains Datalore 安全漏洞 - CVE-2026-1697
Use of unsecure cookies for GraphicalData web service and We - CVE-2024-58317
Kentico Xperience <= 13.0.164 Cookie Security Configuration
V. Comments for CVE-2026-43828
No comments yet