oss-security - CVE-2026-43828: Apache Shiro: Shiro's native session and rememberMe cookies do not have secure flag set by default

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [day] [month] [year] [list]

Message-ID: <6feafbac-da48-4657-3449-ccb72db454c0@apache.org>
Date: Mon, 25 May 2026 19:50:45 +0000
From: Lenny Primak <lprimak@...che.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2026-43828: Apache Shiro: Shiro's native session and
 rememberMe cookies do not have secure flag set by default 

Severity: 

Affected versions:

- Apache Shiro (org.apache.shiro:shiro-web) 1.0 through 2.1.0
- Apache Shiro (org.apache.shiro:shiro-web) 3.0.0-alpha-0 through 3.0.0-alpha-1

Description:

Default configurations of Apache Shiro send sensitive cookies in HTTPS session without 'Secure' attribute.

This issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1.

Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue.

In the affected versions, Shiro-native session manager, as well as Remember-Me manager sends JSESSIONID and rememberMe cookies without 'secure' attribute by default.

Credit:

Meteor_Kai <1318723916@...com> (finder)
Lenny Primak <lenny@...wlogix.com> (remediation developer)

References:

https://shiro.apache.org/
https://www.cve.org/CVERecord?id=CVE-2026-43828

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.