Boruta is a standalone authorization server that aims to implement OAuth 2.0 and Openid Connect up to decentralized identity specifications. Prior to version 0.9.1, boruta session cookies and the identity “remember me” cookie were set without the Secure attribute. In deployments where users could reach the same Boruta origin over plaintext HTTP, browsers could send these cookies over an unencrypted connection. An attacker able to observe or intercept that network traffic could recover a valid session or remember-me cookie and reuse it to impersonate the affected user. Affected components include boruta_web, boruta_identity, and boruta_admin. The affected cookies include the shared session cookie, defaulting to _boruta_web_key, and the identity remember-me cookie, defaulting to _boruta_identity_web_user_remember_me. The issue is fixed in commit 18691c655164635066aa113003a3cd87f6ed11cd, released as part of version 0.9.1. The patch sets secure: true and same_site: "Lax" on configured session cookies for boruta_web, boruta_identity, and boruta_admin, and sets secure: true on the identity remember-me cookie. Until upgrading to a release containing the fix: terminate or reject plaintext HTTP before requests reach Boruta; enforce HTTPS-only access at the reverse proxy or load balancer; enable HSTS for Boruta domains; if cookie exposure is suspected, rotate SECRET_KEY_BASE and BORUTA_SESSION_COOKIE_SIGNING_SALT, then require users to authenticate again. Upgrade to a version containing commit 18691c655164635066aa113003a3cd87f6ed11cd, or apply the patch manually. After deploying the fix, verify that Boruta session and remember-me cookies include the Secure attribute in browser developer tools or with an HTTP response inspection tool.
CVE-2026-53661
This high-severity CVE scores 8.8 under a secondary CVSS source (NVD's own analysis pending). EPSS exploit probability: 0.3%, top 83% of all CVEs by exploit prediction. GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).
- High severity, but no confirmed exploitation yet
No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.
- CVSS v3
- 8.8
- EG Score
- 8.8(medium)
- EPSS
- 17.2%
- KEV
- Not listed
Published
June 11, 2026
Last Modified
June 11, 2026
Advisory Details (2)
Auto-updated Jun 11, 2026Sensitive session cookies were sent without the Secure attribute · Advisory · malach-it/boruta_auth · GitHub
https://github.com/malach-it/boruta_auth/security/advisories/GHSA-7355-8c95-25pvcommit 18691c655164 (malach-it/boruta-server)
Patch available: malach-it/boruta-server 0.9.2 (contains commit 18691c655164)
https://github.com/malach-it/boruta-server/commit/18691c655164635066aa113003a3cd87f6ed11cdWeakness Classification(1)
MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.
Data Freshness Timeline
(refreshed 25× in last 7d / 103× in last 30d)
Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.
Showing the most recent 100 of 105 total refreshes for this CVE.
- 2026-07-11 16:46 UTCEG score recompute
- 2026-07-11 08:27 UTCEPSS rescore
- 2026-07-11 08:27 UTCEPSS rescore
- 2026-07-11 05:17 UTCEG score recompute
- 2026-07-10 17:48 UTCEG score recompute
- 2026-07-09 22:23 UTCEG score recompute
- 2026-07-09 19:10 UTCEPSS rescore
- 2026-07-09 19:10 UTCEPSS rescore
- 2026-07-09 08:22 UTCEG score recompute
- 2026-07-08 20:52 UTCEG score recompute
- 2026-07-08 15:16 UTCEPSS rescore
- 2026-07-08 15:16 UTCEPSS rescore
- 2026-07-08 09:16 UTCEG score recompute
- 2026-07-07 21:44 UTCEG score recompute
- 2026-07-07 13:46 UTCEPSS rescore
- 2026-07-07 13:46 UTCEPSS rescore
- 2026-07-07 03:10 UTCEG score recompute
- 2026-07-06 16:27 UTCEPSS rescore
- 2026-07-06 16:27 UTCEPSS rescore
- 2026-07-06 02:23 UTCEPSS rescore
- 2026-07-06 02:23 UTCEPSS rescore
- 2026-07-05 22:50 UTCEG score recompute
- 2026-07-05 11:05 UTCEG score recompute
- 2026-07-05 02:31 UTCEPSS rescore
- 2026-07-05 02:30 UTCEPSS rescore
Show 75 moreShow fewer
- 2026-07-04 23:02 UTCEG score recompute
- 2026-07-04 11:26 UTCEG score recompute
- 2026-07-04 06:31 UTCEPSS rescore
- 2026-07-04 06:31 UTCEPSS rescore
- 2026-07-03 19:11 UTCEG score recompute
- 2026-07-03 07:43 UTCEG score recompute
- 2026-07-02 17:50 UTCEG score recompute
- 2026-07-02 06:15 UTCEG score recompute
- 2026-07-01 18:46 UTCEG score recompute
- 2026-07-01 15:07 UTCEPSS rescore
- 2026-07-01 07:17 UTCEG score recompute
- 2026-06-30 23:22 UTCEPSS rescore
- 2026-06-30 19:48 UTCEG score recompute
- 2026-06-30 08:20 UTCEG score recompute
- 2026-06-29 20:52 UTCEG score recompute
- 2026-06-29 14:06 UTCEPSS rescore
- 2026-06-29 14:06 UTCEPSS rescore
- 2026-06-29 09:24 UTCEG score recompute
- 2026-06-28 21:56 UTCEG score recompute
- 2026-06-28 14:07 UTCEPSS rescore
- 2026-06-28 10:27 UTCEG score recompute
- 2026-06-28 04:56 UTCEPSS rescore
- 2026-06-28 04:56 UTCEPSS rescore
- 2026-06-27 22:36 UTCEG score recompute
- 2026-06-27 11:08 UTCEG score recompute
- 2026-06-27 03:08 UTCEPSS rescore
- 2026-06-26 23:40 UTCEG score recompute
- 2026-06-26 12:11 UTCEG score recompute
- 2026-06-25 19:44 UTCEG score recompute
- 2026-06-25 13:49 UTCEPSS rescore
- 2026-06-25 08:15 UTCEG score recompute
- 2026-06-24 20:46 UTCEG score recompute
- 2026-06-24 14:05 UTCEPSS rescore
- 2026-06-24 07:52 UTCEG score recompute
- 2026-06-23 21:33 UTCEPSS rescore
- 2026-06-23 21:33 UTCEPSS rescore
- 2026-06-23 19:53 UTCEG score recompute
- 2026-06-23 08:24 UTCEG score recompute
- 2026-06-22 19:15 UTCEG score recompute
- 2026-06-22 14:25 UTCEPSS rescore
- 2026-06-22 14:25 UTCEPSS rescore
- 2026-06-22 07:27 UTCEG score recompute
- 2026-06-21 19:28 UTCEG score recompute
- 2026-06-21 14:56 UTCEPSS rescore
- 2026-06-21 14:56 UTCEPSS rescore
- 2026-06-21 08:00 UTCEG score recompute
- 2026-06-21 01:59 UTCEPSS rescore
- 2026-06-21 01:59 UTCEPSS rescore
- 2026-06-20 20:31 UTCEG score recompute
- 2026-06-20 07:38 UTCEG score recompute
- 2026-06-19 20:06 UTCEG score recompute
- 2026-06-19 19:26 UTCEPSS rescore
- 2026-06-19 19:26 UTCEPSS rescore
- 2026-06-19 08:36 UTCEG score recompute
- 2026-06-18 21:06 UTCEG score recompute
- 2026-06-18 17:52 UTCEPSS rescore
- 2026-06-18 17:52 UTCEPSS rescore
- 2026-06-18 09:38 UTCEG score recompute
- 2026-06-17 21:17 UTCEG score recompute
- 2026-06-17 17:53 UTCEPSS rescore
- 2026-06-17 09:48 UTCEG score recompute
- 2026-06-16 22:18 UTCEG score recompute
- 2026-06-16 17:53 UTCEPSS rescore
- 2026-06-16 10:50 UTCEG score recompute
- 2026-06-15 23:21 UTCEG score recompute
- 2026-06-15 17:49 UTCEPSS rescore
- 2026-06-15 17:49 UTCEPSS rescore
- 2026-06-15 11:52 UTCEG score recompute
- 2026-06-15 00:16 UTCEG score recompute
- 2026-06-14 12:47 UTCEG score recompute
- 2026-06-14 01:18 UTCEG score recompute
- 2026-06-13 23:00 UTCEPSS rescore
- 2026-06-13 13:50 UTCEG score recompute
- 2026-06-13 02:21 UTCEG score recompute
- 2026-06-12 23:12 UTCEPSS rescore
Frequently asked(5)
What is CVE-2026-53661?
When was CVE-2026-53661 disclosed?
Is CVE-2026-53661 actively exploited?
What is the CVSS score of CVE-2026-53661?
How do I remediate CVE-2026-53661?
Dependency Blast Radius
Explore the affected products and dependency analysis for CVE-2026-53661
Is Your Infrastructure Affected by CVE-2026-53661?
EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.