Skip to main content

Boruta CVE-2026-53661

| EUVDEUVD-2026-36243 HIGH
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute (CWE-614)
2026-06-11 security-advisories@github.com
8.8
CVSS 4.0 · Vendor: github
Share

Severity by source

Vendor (github) PRIMARY
8.8 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.9 MEDIUM

AV:N for on-path interception; AC:H because attacker needs network position and an HTTP request to the origin; UI:R since the victim must trigger an HTTP request; C:H from full session takeover, I:L from acting as user, A:N.

3.1 AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N
4.0 AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (github).

CVSS VectorVendor: github

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch available
Jun 11, 2026 - 16:16 EUVD
Source Code Evidence Fetched
Jun 11, 2026 - 14:31 vuln.today
Analysis Generated
Jun 11, 2026 - 14:31 vuln.today

DescriptionCVE.org

Boruta is a standalone authorization server that aims to implement OAuth 2.0 and Openid Connect up to decentralized identity specifications. Prior to version 0.9.1, boruta session cookies and the identity “remember me” cookie were set without the Secure attribute. In deployments where users could reach the same Boruta origin over plaintext HTTP, browsers could send these cookies over an unencrypted connection. An attacker able to observe or intercept that network traffic could recover a valid session or remember-me cookie and reuse it to impersonate the affected user. Affected components include boruta_web, boruta_identity, and boruta_admin. The affected cookies include the shared session cookie, defaulting to _boruta_web_key, and the identity remember-me cookie, defaulting to _boruta_identity_web_user_remember_me. The issue is fixed in commit 18691c655164635066aa113003a3cd87f6ed11cd, released as part of version 0.9.1. The patch sets secure: true and same_site: "Lax" on configured session cookies for boruta_web, boruta_identity, and boruta_admin, and sets secure: true on the identity remember-me cookie. Until upgrading to a release containing the fix: terminate or reject plaintext HTTP before requests reach Boruta; enforce HTTPS-only access at the reverse proxy or load balancer; enable HSTS for Boruta domains; if cookie exposure is suspected, rotate SECRET_KEY_BASE and BORUTA_SESSION_COOKIE_SIGNING_SALT, then require users to authenticate again. Upgrade to a version containing commit 18691c655164635066aa113003a3cd87f6ed11cd, or apply the patch manually. After deploying the fix, verify that Boruta session and remember-me cookies include the Secure attribute in browser developer tools or with an HTTP response inspection tool.

AnalysisAI

Session cookie hijacking in Boruta authorization server prior to 0.9.1 allows network-positioned attackers to capture authentication and remember-me cookies because they lack the Secure attribute and may be transmitted over plaintext HTTP. The flaw affects boruta_web, boruta_identity, and boruta_admin components and enables full user impersonation, including potentially administrative sessions on an OAuth 2.0/OpenID Connect identity provider. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain on-path network position
Delivery
Wait for victim HTTP request to Boruta origin
Exploit
Sniff Set-Cookie/Cookie header in plaintext
Execution
Extract _boruta_web_key or remember_me cookie
Persist
Replay cookie against HTTPS endpoint
Impact
Impersonate user/admin session

Vulnerability AssessmentAI

Exploitation Exploitation requires three concrete conditions: (1) the Boruta origin must be reachable over plaintext HTTP - i.e., the operator has not forced HTTPS-only at the reverse proxy/load balancer and has not configured HSTS; (2) the attacker must hold a network position capable of observing traffic between victim and server (same LAN, compromised hop, rogue Wi-Fi, on-path ISP, etc.); and (3) the victim's browser must issue at least one request to the Boruta origin over HTTP while holding a valid session or remember-me cookie, which can be induced by a typed hostname, bookmark, HTTP link, or downgrade. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor-supplied CVSS 4.0 base score of 8.8 (AV:N/AC:L/PR:N/UI:N/VC:H) treats this as critical, but that rating assumes a deployment that actually serves Boruta over plaintext HTTP at the same origin - a precondition the description explicitly calls out. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker on the same coffee-shop Wi-Fi as a Boruta administrator waits for the admin's browser to issue any request to the Boruta origin over plaintext HTTP - for example a bookmark, a typed hostname without scheme, or an HTTP redirect - and passively captures the `_boruta_web_key` and `_boruta_identity_web_user_remember_me` cookies from the wire. The attacker then replays those cookies against the HTTPS endpoint to impersonate the administrator and issue OAuth tokens or modify identity records. …
Remediation Upgrade to Boruta 0.9.1 or later, which includes commit 18691c655164635066aa113003a3cd87f6ed11cd setting `secure: true` and `same_site: "Lax"` on the session cookies for all three endpoints and `secure: true` on the identity remember-me cookie. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all Boruta installations and identify versions in use, particularly any version prior to 0.9.1, and document critical applications dependent on Boruta authentication. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-53661 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy