CVE-2026-48589
NONE
CVSS 0.0
No EPSS data
Description
Apache Shiroβs Jakarta EE module used the HTTP Referer header in certain cases to issue redirect after a user login.
In affected versions, insufficient validation of this client-controlled value could allow an attacker to influence the redirect target in applications using the Jakarta EE module.
This issue affects Apache Shiro from 2.0-alpha to 2.2.0, and 3.0.0-alpha-1, only when using shiro-jakarta-ee integration module.
CVSS details
EPSS
This CVE is not currently listed in the EPSS dataset.
Show JSON
{
"cve": {
"id": "CVE-2026-48589",
"cveTags": [],
"metrics": {
"cvssMetricV31": [
{
"type": "Primary",
"source": "nvd@nist.gov",
"cvssData": {
"scope": "CHANGED",
"version": "3.1",
"baseScore": 5.4,
"attackVector": "NETWORK",
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"integrityImpact": "LOW",
"userInteraction": "REQUIRED",
"attackComplexity": "LOW",
"availabilityImpact": "NONE",
"privilegesRequired": "LOW",
"confidentialityImpact": "LOW"
},
"impactScore": 2.7,
"exploitabilityScore": 2.3
}
],
"cvssMetricV40": [
{
"type": "Secondary",
"source": "security@apache.org",
"cvssData": {
"Safety": "NEGLIGIBLE",
"version": "4.0",
"Recovery": "AUTOMATIC",
"baseScore": 0,
"Automatable": "YES",
"attackVector": "NETWORK",
"baseSeverity": "NONE",
"valueDensity": "DIFFUSE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:A/V:D/RE:X/U:Green",
"exploitMaturity": "NOT_DEFINED",
"providerUrgency": "GREEN",
"userInteraction": "ACTIVE",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"privilegesRequired": "LOW",
"subIntegrityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"vulnAvailabilityImpact": "NONE",
"availabilityRequirement": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"subConfidentialityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"confidentialityRequirement": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"vulnerabilityResponseEffort": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED"
}
}
]
},
"published": "2026-05-25T21:16:35.117",
"references": [
{
"url": "https://shiro.apache.org/security-reports.html#cve_2026_48589",
"tags": [
"Vendor Advisory"
],
"source": "security@apache.org"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/25/9",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"source": "af854a3a-2127-422b-91ae-364da2661108"
}
],
"vulnStatus": "Analyzed",
"weaknesses": [
{
"type": "Secondary",
"source": "security@apache.org",
"description": [
{
"lang": "en",
"value": "CWE-601"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Apache Shiro\u2019s Jakarta EE module used the HTTP Referer header in certain cases to issue redirect after a user login.\nIn affected versions, insufficient validation of this client-controlled value could allow an attacker to influence the redirect target in applications using the Jakarta EE module.\nThis issue affects Apache Shiro from 2.0-alpha to 2.2.0, and 3.0.0-alpha-1, only when using shiro-jakarta-ee integration module."
}
],
"lastModified": "2026-05-28T13:38:44.880",
"configurations": [
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:shiro:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "4EFE9570-0EAC-4F87-8451-0F2C48984A06",
"versionEndExcluding": "2.2.1",
"versionStartIncluding": "2.0.0"
},
{
"criteria": "cpe:2.3:a:apache:shiro:3.0.0:alpha1:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "C79C762D-108B-4C23-BEAF-0115D43D83BD"
}
],
"operator": "OR"
}
]
}
],
"sourceIdentifier": "security@apache.org"
}
}