Apache Shiro 1.0-2.1.0 & 3.0.0-alpha-1: Unsecured HTTPS session cookies
CVE-2026-43828 Published on May 25, 2026
Apache Shiro: Shiro's native session and rememberMe cookies do not have secure flag set by default
Default configurations of Apache Shiro send sensitive cookies in HTTPS session without 'Secure' attribute.
This issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1.
Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue.
In the affected versions, Shiro-native session manager, as well as Remember-Me manager sends JSESSIONID and rememberMe cookies without 'secure' attribute by default.
Weakness Type
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
The Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the user agent to send those cookies in plaintext over an HTTP session.
Products Associated with CVE-2026-43828
Want to know whenever a new CVE is published for Apache Shiro? stack.watch will email you.
Affected Versions
Apache Software Foundation Apache Shiro:- Version 1.0, <= 2.1.0 is affected.
- Version 3.0.0-alpha-0, <= 3.0.0-alpha-1 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.