CVE-2026-48589

CVE-2026-48589 is a medium-severity vulnerability in Apache Shiro with a CVSS 3.x base score of 5.4. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-601.

Key facts

Description

Apache Shiro’s Jakarta EE module used the HTTP Referer header in certain cases to issue redirect after a user login. In affected versions, insufficient validation of this client-controlled value could allow an attacker to influence the redirect target in applications using the Jakarta EE module. This issue affects Apache Shiro from 2.0-alpha to 2.2.0, and 3.0.0-alpha-1, only when using shiro-jakarta-ee integration module.

Frequently asked questions

What is CVE-2026-48589?
Apache Shiro’s Jakarta EE module used the HTTP Referer header in certain cases to issue redirect after a user login. In affected versions, insufficient validation of this client-controlled value could allow an attacker to influence the redirect target in applications using the Jakarta EE module. This issue affects Apache Shiro from 2.0-alpha to 2.2.0, and 3.0.0-alpha-1, only when using shiro-jakarta-ee integration module.
How severe is CVE-2026-48589?
CVE-2026-48589 has a CVSS 3.x base score of 5.4, rated medium severity. It is exploitable over network with low attack complexity, requires low privileges and user interaction. Impact on confidentiality is low, integrity low, and availability none.
Is CVE-2026-48589 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (27th percentile), an estimate of the probability of exploitation in the next 30 days.
What products are affected by CVE-2026-48589?
CVE-2026-48589 primarily affects Apache Shiro. In total, 2 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2026-48589?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
Does CVE-2026-48589 have an EU (EUVD) identifier?
Yes. CVE-2026-48589 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-31738.
When was CVE-2026-48589 published?
CVE-2026-48589 was published on 2026-05-25 and last updated on 2026-06-17.

References

Affected products (2)

More vulnerabilities in Apache Shiro

All CVEs affecting Apache Shiro →

Other CWE-601 (Open Redirect) vulnerabilities

Browse all CWE-601 (Open Redirect) vulnerabilities →