Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1325 CNY

100%
Buy Us a Coffee

CVE-2026-53661— boruta-server sent sensitive session cookies without the Secure attribute

AI Predicted 6.4 Difficulty: Moderate EPSS 0.26% · P17

Affected Version Matrix 1

VendorProductVersion RangeStatus
malach-itboruta-server< 0.9.1affected
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-53661

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
boruta-server sent sensitive session cookies without the Secure attribute
Source: NVD (National Vulnerability Database)
Vulnerability Description
Boruta is a standalone authorization server that aims to implement OAuth 2.0 and Openid Connect up to decentralized identity specifications. Prior to version 0.9.1, boruta session cookies and the identity “remember me” cookie were set without the Secure attribute. In deployments where users could reach the same Boruta origin over plaintext HTTP, browsers could send these cookies over an unencrypted connection. An attacker able to observe or intercept that network traffic could recover a valid session or remember-me cookie and reuse it to impersonate the affected user. Affected components include boruta_web, boruta_identity, and boruta_admin. The affected cookies include the shared session cookie, defaulting to _boruta_web_key, and the identity remember-me cookie, defaulting to `_boruta_identity_web_user_remember_me`. The issue is fixed in commit 18691c655164635066aa113003a3cd87f6ed11cd, released as part of version 0.9.1. The patch sets `secure: true` and `same_site: "Lax"` on configured session cookies for boruta_web, boruta_identity, and boruta_admin, and sets `secure: true` on the identity remember-me cookie. Until upgrading to a release containing the fix: terminate or reject plaintext HTTP before requests reach Boruta; enforce HTTPS-only access at the reverse proxy or load balancer; enable HSTS for Boruta domains; if cookie exposure is suspected, rotate SECRET_KEY_BASE and BORUTA_SESSION_COOKIE_SIGNING_SALT, then require users to authenticate again. Upgrade to a version containing commit 18691c655164635066aa113003a3cd87f6ed11cd, or apply the patch manually. After deploying the fix, verify that Boruta session and remember-me cookies include the Secure attribute in browser developer tools or with an HTTP response inspection tool.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
HTTPS会话中未设置’Secure’属性的敏感Cookie
Source: NVD (National Vulnerability Database)
Vulnerability Title
boruta-server 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
boruta-server是malach.it开源的一款独立授权服务器。 boruta-server 0.9.1之前版本存在安全漏洞,该漏洞源于会话cookie和身份记住我cookie未设置Secure属性,在用户可通过明文HTTP访问同一Boruta源的部署中,浏览器可能通过未加密连接发送这些cookie,攻击者可通过观察或拦截网络流量恢复有效会话或记住我cookie并冒充受影响用户。受影响组件包括boruta_web、boruta_identity和boruta_admin。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
malach-itboruta-server < 0.9.1 -

II. Public POCs for CVE-2026-53661

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-53661

登录查看更多情报信息。

Patches & Fixes for CVE-2026-53661 (1)

Vendor Advisories for CVE-2026-53661 (2)

IV. Related Vulnerabilities

Same weakness: CWE-614

V. Comments for CVE-2026-53661

No comments yet

Leave a comment