CVE-2026-53661: CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in malach-it boruta-server
Boruta is a standalone authorization server that aims to implement OAuth 2.0 and Openid Connect up to decentralized identity specifications. Prior to version 0.9.1, boruta session cookies and the identity “remember me” cookie were set without the Secure attribute. In deployments where users could reach the same Boruta origin over plaintext HTTP, browsers could send these cookies over an unencrypted connection. An attacker able to observe or intercept that network traffic could recover a valid session or remember-me cookie and reuse it to impersonate the affected user. Affected components include boruta_web, boruta_identity, and boruta_admin. The affected cookies include the shared session cookie, defaulting to _boruta_web_key, and the identity remember-me cookie, defaulting to `_boruta_identity_web_user_remember_me`. The issue is fixed in commit 18691c655164635066aa113003a3cd87f6ed11cd, released as part of version 0.9.1. The patch sets `secure: true` and `same_site: "Lax"` on configured session cookies for boruta_web, boruta_identity, and boruta_admin, and sets `secure: true` on the identity remember-me cookie. Until upgrading to a release containing the fix: terminate or reject plaintext HTTP before requests reach Boruta; enforce HTTPS-only access at the reverse proxy or load balancer; enable HSTS for Boruta domains; if cookie exposure is suspected, rotate SECRET_KEY_BASE and BORUTA_SESSION_COOKIE_SIGNING_SALT, then require users to authenticate again. Upgrade to a version containing commit 18691c655164635066aa113003a3cd87f6ed11cd, or apply the patch manually. After deploying the fix, verify that Boruta session and remember-me cookies include the Secure attribute in browser developer tools or with an HTTP response inspection tool.
AI Analysis
Technical Summary
The vulnerability identified as CVE-2026-53661 in malach-it's boruta-server involves session cookies and identity remember-me cookies being set without the Secure attribute prior to version 0.9.1. Without the Secure flag, browsers may transmit these cookies over plaintext HTTP connections if accessible, exposing them to interception by attackers. This exposure allows attackers to recover valid session or remember-me cookies and impersonate users. The fix, introduced in commit 18691c655164635066aa113003a3cd87f6ed11cd and released in version 0.9.1, sets the Secure attribute to true and SameSite to Lax on session cookies, preventing their transmission over non-HTTPS connections.
Potential Impact
An attacker able to observe or intercept network traffic on an unencrypted HTTP connection to the Boruta server could capture session or remember-me cookies. This enables the attacker to impersonate affected users by reusing these cookies. The vulnerability compromises user session confidentiality and authentication integrity when HTTPS is not enforced.
Mitigation Recommendations
A fix is available in boruta-server version 0.9.1, which sets the Secure and SameSite attributes on cookies to prevent their transmission over plaintext HTTP. Until upgrading, it is recommended to terminate or reject plaintext HTTP requests before they reach Boruta, enforce HTTPS-only access at reverse proxies or load balancers, and enable HTTP Strict Transport Security (HSTS) for Boruta domains. If cookie exposure is suspected, rotate SECRET_KEY_BASE and BORUTA_SESSION_COOKIE_SIGNING_SALT and require users to re-authenticate. After applying the fix, verify that cookies include the Secure attribute using browser developer tools or HTTP response inspection.
CVE-2026-53661: CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in malach-it boruta-server
Description
Boruta is a standalone authorization server that aims to implement OAuth 2.0 and Openid Connect up to decentralized identity specifications. Prior to version 0.9.1, boruta session cookies and the identity “remember me” cookie were set without the Secure attribute. In deployments where users could reach the same Boruta origin over plaintext HTTP, browsers could send these cookies over an unencrypted connection. An attacker able to observe or intercept that network traffic could recover a valid session or remember-me cookie and reuse it to impersonate the affected user. Affected components include boruta_web, boruta_identity, and boruta_admin. The affected cookies include the shared session cookie, defaulting to _boruta_web_key, and the identity remember-me cookie, defaulting to `_boruta_identity_web_user_remember_me`. The issue is fixed in commit 18691c655164635066aa113003a3cd87f6ed11cd, released as part of version 0.9.1. The patch sets `secure: true` and `same_site: "Lax"` on configured session cookies for boruta_web, boruta_identity, and boruta_admin, and sets `secure: true` on the identity remember-me cookie. Until upgrading to a release containing the fix: terminate or reject plaintext HTTP before requests reach Boruta; enforce HTTPS-only access at the reverse proxy or load balancer; enable HSTS for Boruta domains; if cookie exposure is suspected, rotate SECRET_KEY_BASE and BORUTA_SESSION_COOKIE_SIGNING_SALT, then require users to authenticate again. Upgrade to a version containing commit 18691c655164635066aa113003a3cd87f6ed11cd, or apply the patch manually. After deploying the fix, verify that Boruta session and remember-me cookies include the Secure attribute in browser developer tools or with an HTTP response inspection tool.
CVSS v4.0
Score 8.8high
Affected software
pkg:github/malach-it/boruta-serverRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability identified as CVE-2026-53661 in malach-it's boruta-server involves session cookies and identity remember-me cookies being set without the Secure attribute prior to version 0.9.1. Without the Secure flag, browsers may transmit these cookies over plaintext HTTP connections if accessible, exposing them to interception by attackers. This exposure allows attackers to recover valid session or remember-me cookies and impersonate users. The fix, introduced in commit 18691c655164635066aa113003a3cd87f6ed11cd and released in version 0.9.1, sets the Secure attribute to true and SameSite to Lax on session cookies, preventing their transmission over non-HTTPS connections.
Potential Impact
An attacker able to observe or intercept network traffic on an unencrypted HTTP connection to the Boruta server could capture session or remember-me cookies. This enables the attacker to impersonate affected users by reusing these cookies. The vulnerability compromises user session confidentiality and authentication integrity when HTTPS is not enforced.
Mitigation Recommendations
A fix is available in boruta-server version 0.9.1, which sets the Secure and SameSite attributes on cookies to prevent their transmission over plaintext HTTP. Until upgrading, it is recommended to terminate or reject plaintext HTTP requests before they reach Boruta, enforce HTTPS-only access at reverse proxies or load balancers, and enable HTTP Strict Transport Security (HSTS) for Boruta domains. If cookie exposure is suspected, rotate SECRET_KEY_BASE and BORUTA_SESSION_COOKIE_SIGNING_SALT and require users to re-authenticate. After applying the fix, verify that cookies include the Secure attribute using browser developer tools or HTTP response inspection.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-06-09T20:50:36.877Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a2ac2f3815e7002b8f5020c
Added to database: 6/11/2026, 2:15:15 PM
Last enriched: 6/11/2026, 2:30:08 PM
Last updated: 6/11/2026, 6:13:52 PM
Views: 8
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.