{"schema_version": "1.6.1", "id": "CVE-2026-44598", "summary": "Open redirect and SSRF (requires valid credentials)", "details": "With valid login credentials, URL Redirection to Untrusted Site ('Open Redirect'), Server-Side Request Forgery (SSRF) vulnerability in Apache Shiro.\n\n\n\n\nThis issue affects Apache Shiro from 2.0-alpha to 2.1.0, and 3.0.0-alpha-1, only when using shiro-jakarta-ee integration module.\n\nUsers are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue by encrypting the cookie.\n\nAfter successful login, Jakarta EE integration module uses shiroSavedRequest cookie to redirect to a particular web page after login.\nThis cookie was not validated, and can be forged to send a HTTP GET request from the server itself to an arbitrary URL from the cookie.", "affected": [{"ranges": [{"type": "SEMVER", "events": [{"introduced": "2.0.0-alpha-0"}, {"last_affected": "2.0.0-alpha-0"}]}, {"type": "SEMVER", "events": [{"introduced": "3.0.0-alpha-0"}, {"last_affected": "3.0.0-alpha-0"}]}]}], "references": [{"type": "WEB", "url": "https://shiro.apache.org/security-reports.html#cve_2026_44598"}]}