CVE-2026-44598

Name of the Vulnerable Software and Affected Versions Apache Shiro versions 2.0-alpha through 2.1.0 Apache Shiro version 3.0.0-alpha-1

Description An issue exists in the shiro-jakarta-ee integration module where the shiroSavedRequest cookie is not validated after a successful login. This allows an attacker with valid credentials to forge the cookie, leading to URL Redirection to Untrusted Sites (Open Redirect) and Server-Side Request Forgery (SSRF), where the server is forced to send an HTTP GET request to an arbitrary URL.

Recommendations Upgrade versions 2.0-alpha through 2.1.0 to version 2.1.1 or later. Upgrade version 3.0.0-alpha-1 to version 3.0.0-alpha-2 or later.