Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
AV:N for on-path interception; AC:H because attacker needs network position and an HTTP request to the origin; UI:R since the victim must trigger an HTTP request; C:H from full session takeover, I:L from acting as user, A:N.
Primary rating from Vendor (github).
CVSS VectorVendor: github
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Boruta is a standalone authorization server that aims to implement OAuth 2.0 and Openid Connect up to decentralized identity specifications. Prior to version 0.9.1, boruta session cookies and the identity “remember me” cookie were set without the Secure attribute. In deployments where users could reach the same Boruta origin over plaintext HTTP, browsers could send these cookies over an unencrypted connection. An attacker able to observe or intercept that network traffic could recover a valid session or remember-me cookie and reuse it to impersonate the affected user. Affected components include boruta_web, boruta_identity, and boruta_admin. The affected cookies include the shared session cookie, defaulting to _boruta_web_key, and the identity remember-me cookie, defaulting to _boruta_identity_web_user_remember_me. The issue is fixed in commit 18691c655164635066aa113003a3cd87f6ed11cd, released as part of version 0.9.1. The patch sets secure: true and same_site: "Lax" on configured session cookies for boruta_web, boruta_identity, and boruta_admin, and sets secure: true on the identity remember-me cookie. Until upgrading to a release containing the fix: terminate or reject plaintext HTTP before requests reach Boruta; enforce HTTPS-only access at the reverse proxy or load balancer; enable HSTS for Boruta domains; if cookie exposure is suspected, rotate SECRET_KEY_BASE and BORUTA_SESSION_COOKIE_SIGNING_SALT, then require users to authenticate again. Upgrade to a version containing commit 18691c655164635066aa113003a3cd87f6ed11cd, or apply the patch manually. After deploying the fix, verify that Boruta session and remember-me cookies include the Secure attribute in browser developer tools or with an HTTP response inspection tool.
AnalysisAI
Session cookie hijacking in Boruta authorization server prior to 0.9.1 allows network-positioned attackers to capture authentication and remember-me cookies because they lack the Secure attribute and may be transmitted over plaintext HTTP. The flaw affects boruta_web, boruta_identity, and boruta_admin components and enables full user impersonation, including potentially administrative sessions on an OAuth 2.0/OpenID Connect identity provider. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires three concrete conditions: (1) the Boruta origin must be reachable over plaintext HTTP - i.e., the operator has not forced HTTPS-only at the reverse proxy/load balancer and has not configured HSTS; (2) the attacker must hold a network position capable of observing traffic between victim and server (same LAN, compromised hop, rogue Wi-Fi, on-path ISP, etc.); and (3) the victim's browser must issue at least one request to the Boruta origin over HTTP while holding a valid session or remember-me cookie, which can be induced by a typed hostname, bookmark, HTTP link, or downgrade. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor-supplied CVSS 4.0 base score of 8.8 (AV:N/AC:L/PR:N/UI:N/VC:H) treats this as critical, but that rating assumes a deployment that actually serves Boruta over plaintext HTTP at the same origin - a precondition the description explicitly calls out. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker on the same coffee-shop Wi-Fi as a Boruta administrator waits for the admin's browser to issue any request to the Boruta origin over plaintext HTTP - for example a bookmark, a typed hostname without scheme, or an HTTP redirect - and passively captures the `_boruta_web_key` and `_boruta_identity_web_user_remember_me` cookies from the wire. The attacker then replays those cookies against the HTTPS endpoint to impersonate the administrator and issue OAuth tokens or modify identity records. … |
| Remediation | Upgrade to Boruta 0.9.1 or later, which includes commit 18691c655164635066aa113003a3cd87f6ed11cd setting `secure: true` and `same_site: "Lax"` on the session cookies for all three endpoints and `secure: true` on the identity remember-me cookie. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all Boruta installations and identify versions in use, particularly any version prior to 0.9.1, and document critical applications dependent on Boruta authentication. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36243