CVE-2026-53661: boruta-server sent sensitive session cookies without the Secure attribute
Boruta is a standalone authorization server that aims to implement OAuth 2.0 and Openid Connect up to decentralized identity specifications. Prior to version 0.9.1, boruta session cookies and the identity “remember me” cookie were set without the Secure attribute. In deployments where users could reach the same Boruta origin over plaintext HTTP, browsers could send these cookies over an unencrypted connection. An attacker able to observe or intercept that network traffic could recover a valid session or remember-me cookie and reuse it to impersonate the affected user. Affected components include boruta_web, boruta_identity, and boruta_admin. The affected cookies include the shared session cookie, defaulting to _boruta_web_key, and the identity remember-me cookie, defaulting to `_boruta_identity_web_user_remember_me`. The issue is fixed in commit 18691c655164635066aa113003a3cd87f6ed11cd, released as part of version 0.9.1. The patch sets `secure: true` and `same_site: "Lax"` on configured session cookies for boruta_web, boruta_identity, and boruta_admin, and sets `secure: true` on the identity remember-me cookie. Until upgrading to a release containing the fix: terminate or reject plaintext HTTP before requests reach Boruta; enforce HTTPS-only access at the reverse proxy or load balancer; enable HSTS for Boruta domains; if cookie exposure is suspected, rotate SECRET_KEY_BASE and BORUTA_SESSION_COOKIE_SIGNING_SALT, then require users to authenticate again. Upgrade to a version containing commit 18691c655164635066aa113003a3cd87f6ed11cd, or apply the patch manually. After deploying the fix, verify that Boruta session and remember-me cookies include the Secure attribute in browser developer tools or with an HTTP response inspection tool.
Metrics
- CVSS v4.0
- 8.8
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
This is a session cookie misconfiguration in boruta-server, an open-source OAuth 2.0 and OpenID Connect authorization server. The affected application set session cookies and a remember-me cookie without the Secure attribute, meaning browsers could transmit them over unencrypted HTTP connections when that path was reachable. An attacker who can observe or intercept plaintext HTTP traffic recovers a valid session or remember-me cookie and uses it to impersonate the affected user. No fix version has been published to a release yet, though the patch exists in commit 18691c655164635066aa113003a3cd87f6ed11cd; HarborGuard is tracking the advisory for the moment an official release becomes available.
HarborGuard Coverage
Detection of CVE-2026-53661 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images containing boruta-server, in registries and CI pipelines.
AvailableHarborGuard scores this CVE at CVSS 8.8 HIGH and is capable of weighting that score against each environment's compliance policy to determine urgency and route findings to the appropriate team inbox within a customer's organization.
AvailableBecause no fix release has been published, HarborGuard re-checks the upstream advisory on every ingest cycle and will make a patched-image rebuild available the moment a release containing the fix is identified. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered automatically at that point.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The attacker must be positioned to observe or intercept HTTP traffic between the user's browser and the Boruta origin, meaning the service must be reachable over the network on a plaintext HTTP path.
- AuthenticationNot required
No account or credentials are needed to exploit this; the attacker only needs passive access to the network traffic carrying the cookie.
- Victim interactionNot required
No victim action is required beyond the user making a normal authenticated request over a plaintext HTTP connection that the attacker can see.
- Attack complexityDetail
The exploit is reliable and condition-free once the plaintext HTTP path is reachable; no race condition or special environmental setup is required.
Blast Radius
- An attacker reads a valid session cookie (_boruta_web_key) or remember-me cookie (_boruta_identity_web_user_remember_me) from intercepted HTTP traffic.
- The recovered cookie is replayed to impersonate the affected user against boruta_web, boruta_identity, or boruta_admin without supplying credentials.
- Because boruta-server acts as an OAuth 2.0 and OpenID Connect provider, a hijacked admin or privileged session extends impersonation reach to downstream applications that trust tokens issued by this server.
How HarborGuard Handles This
Available on HarborGuard: images containing boruta-server versions below 0.9.1 are flagged as affected by this CVE as soon as the advisory is ingested. Because no official fix release exists yet, HarborGuard monitors the upstream advisory on every ingest cycle and will surface a patched-image rebuild the moment a release containing commit 18691c655164635066aa113003a3cd87f6ed11cd is published; for customers with auto-remediation enabled, the rebuild, regression run, and PR flow will trigger automatically at that point. In the interim, the advisory recommends terminating or rejecting plaintext HTTP before requests reach Boruta at the reverse proxy or load balancer layer, enforcing HTTPS-only access, enabling HSTS on Boruta domains, and if cookie exposure is suspected, rotating SECRET_KEY_BASE and BORUTA_SESSION_COOKIE_SIGNING_SALT to invalidate any captured cookies. Customers should verify after any fix deployment that Boruta session and remember-me cookies carry the Secure attribute in HTTP response headers.
- malach-it / boruta-server< 0.9.1
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N