Home

Description

Default configurations of Apache Shiro have a session fixation vulnerability. This issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1. Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue. In the affected versions, when a session already exists, it is not invalidated upon successful login, nor is a new session being generated with a new ID.

PUBLISHED Reserved 2026-05-02 | Published 2026-05-25 | Updated 2026-05-26 | Assigner apache




MEDIUM: 5.9CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/AU:Y/R:U/RE:L/U:Amber

Problem types

CWE-384 Session Fixation

Product status

Default status
unaffected

1.0 (semver)
affected

3.0.0-alpha-0 (semver)
affected

Credits

Rasmus Moorats <xx@nns.ee> finder

Lenny Primak <lenny@flowlogix.com> remediation developer

References

www.openwall.com/lists/oss-security/2026/05/25/6

shiro.apache.org/security-reports.html vendor-advisory

cve.org (CVE-2026-43827)

nvd.nist.gov (CVE-2026-43827)

Download JSON