{"schema_version": "1.6.1", "id": "CVE-2026-43828", "summary": "Shiro's native session and rememberMe cookies do not have secure flag set by default", "details": "Default configurations of Apache Shiro send sensitive cookies in HTTPS session without 'Secure' attribute.\n\n\n\nThis issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1.\n\nUsers are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue.\n\nIn the affected versions, Shiro-native session manager, as well as Remember-Me manager sends JSESSIONID and rememberMe cookies without 'secure' attribute by default.", "affected": [{"ranges": [{"type": "SEMVER", "events": [{"introduced": "1.0"}, {"last_affected": "1.0"}]}, {"type": "SEMVER", "events": [{"introduced": "3.0.0-alpha-0"}, {"last_affected": "3.0.0-alpha-0"}]}]}], "references": [{"type": "WEB", "url": "https://shiro.apache.org/security-reports.html#cve_2026_43828"}]}