CVE-2026-43827 MEDIUM

CVE-2026-43827: Apache Shiro: Session fixation: new session is not created after login by default

Vendor Apache Software Foundation

Product Apache Shiro

Weakness CWE-384 · Session fixation

Published May 25, 2026

Last update May 26, 2026

View on NVD All CVEs

CVSS base score

5.9/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/AU:Y/R:U/RE:L/U:Amber

What the vulnerability does

Description

Default configurations of Apache Shiro have a session fixation vulnerability. This issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1. Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue. In the affected versions, when a session already exists, it is not invalidated upon successful login, nor is a new session being generated with a new ID.

Key dates

Disclosure timeline

May 25, 2026 CVE published

May 26, 2026 Record updated

Identifiers

CVE CVE-2026-43827

CWE CWE-384

CVSS 5.9 / MEDIUM

Affected versions

Vendor Apache Software Foundation

Product Apache Shiro

Affected ≥ 1.0 and ≤ 2.1.0

Vendor Apache Software Foundation

Product Apache Shiro

Affected ≥ 3.0.0-alpha-0 and ≤ 3.0.0-alpha-1