CVE Vulnerabilities

CVE-2026-43828

Sensitive Cookie in HTTPS Session Without 'Secure' Attribute

Published: May 25, 2026 | Modified: Jun 17, 2026
CVSS 3.x
6.5
MEDIUM
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
CVSS 2.x
RedHat/V2
RedHat/V3
6.5 MODERATE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Ubuntu
MEDIUM
root.io logo minimus.io logo echo.ai logo

Default configurations of Apache Shiro send sensitive cookies in HTTPS session without Secure attribute.

This issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1.

Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue.

In the affected versions, Shiro-native session manager, as well as Remember-Me manager sends JSESSIONID and rememberMe cookies without secure attribute by default.

Weakness

The Secure attribute for sensitive cookies in HTTPS sessions is not set.

Affected Software

NameVendorStart VersionEnd Version
ShiroApache*2.1.1 (excluding)
ShiroApache3.0.0-alpha1 (including)3.0.0-alpha1 (including)

Potential Mitigations

References