Apache Shiro Jakarta EE Unvalidated HTTP Referer Redirect (3.0.0-alpha-1)
CVE-2026-48589 Published on May 25, 2026
Apache Shiro: Jakarta EE open redirect via untrusted Referer in post-login redirect flow
Apache Shiros Jakarta EE module used the HTTP Referer header in certain cases to issue redirect after a user login.
In affected versions, insufficient validation of this client-controlled value could allow an attacker to influence the redirect target in applications using the Jakarta EE module.
This issue affects Apache Shiro from 2.0-alpha to 2.2.0, and 3.0.0-alpha-1, only when using shiro-jakarta-ee integration module.
Weakness Type
What is an Open Redirect Vulnerability?
A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks. An http parameter may contain a URL value and could cause the web application to redirect the request to the specified URL. By modifying the URL value to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts have a more trustworthy appearance.
CVE-2026-48589 has been classified to as an Open Redirect vulnerability or weakness.
Products Associated with CVE-2026-48589
Want to know whenever a new CVE is published for Apache Shiro? stack.watch will email you.
Affected Versions
Apache Software Foundation Apache Shiro:- Version 2.0.0-alpha-0, <= 2.2.0 is affected.
- Version 3.0.0-alpha-0, <= 3.0.0-alpha-1 is affected.