CVE-2026-48589— Apache Shiro: Jakarta EE open redirect via untrusted Referer in post-login redirect flow
Possible ATT&CK Techniques 2AI
T1190 · Exploit Public-Facing Application T1189 · Drive-by CompromiseGet alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-48589
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Apache Shiro: Jakarta EE open redirect via untrusted Referer in post-login redirect flow
Source: NVD (National Vulnerability Database)
Vulnerability Description
Apache Shiro’s Jakarta EE module used the HTTP Referer header in certain cases to issue redirect after a user login. In affected versions, insufficient validation of this client-controlled value could allow an attacker to influence the redirect target in applications using the Jakarta EE module. This issue affects Apache Shiro from 2.0-alpha to 2.2.0, and 3.0.0-alpha-1, only when using shiro-jakarta-ee integration module.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
指向未可信站点的URL重定向(开放重定向)
Source: NVD (National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Apache Software Foundation | Apache Shiro | 2.0.0-alpha-0 ~ 2.2.0 | - |
II. Public POCs for CVE-2026-48589
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-48589
请登录查看更多情报信息。
Vendor Advisories for CVE-2026-48589 (1)
- Security Reports | Apache Shirovendor-advisory
Same Patch Batch · Apache Software Foundation · 2026-05-25 · 9 CVEs total
| CVE-2026-44598 | Apache Shiro Jakarta EE module: Open redirect and SSRF (requires valid credentials) | |
| CVE-2026-43828 | Apache Shiro: Shiro's native session and rememberMe cookies do not have secure flag set by | |
| CVE-2026-43827 | Apache Shiro: Session fixation: new session is not created after login by default | |
| CVE-2026-42797 | Apache Syncope: JexlContextBuilder Information Disclosure | |
| CVE-2026-42782 | Apache Syncope: Post-auth RCE via Groovy static | |
| CVE-2026-46745 | Apache Airflow FAB provider: LDAP Filter Injection in FAB Auth Manager _search_ldap reacha | |
| CVE-2026-45361 | Apache Airflow Google provider: SSH host key verification disabled in ComputeEngineSSHHook | |
| CVE-2026-45249 | Apache ECharts: XSS in Lines series tooltip rendering |
IV. Related Vulnerabilities
Same product: Apache Shiro
- CVE-2026-43828
Apache Shiro: Shiro's native session and rememberMe cookies - CVE-2026-43827
Apache Shiro: Session fixation: new session is not created a - CVE-2026-23901
Apache Shiro: Brute force attack possible to determine valid - CVE-2026-23903
Apache Shiro: Auth bypass when accessing static files only o - CVE-2023-46749
Apache Shiro before 1.13.0 or 2.0.0-alpha-4, may be suscepti
Same vendor: Apache Software Foundation
- CVE-2026-40564
Apache Flink Kubernetes Operator: Server-Side Request Forger - CVE-2026-44598
Apache Shiro Jakarta EE module: Open redirect and SSRF (requ - CVE-2026-43828
Apache Shiro: Shiro's native session and rememberMe cookies - CVE-2026-43827
Apache Shiro: Session fixation: new session is not created a - CVE-2026-42797
Apache Syncope: JexlContextBuilder Information Disclosure
Same weakness: CWE-601
V. Comments for CVE-2026-48589
No comments yet