CVE-2026-43827
Severity CVSS v4.0:
MEDIUM
Type:
Unavailable / Other
Publication date:
25/05/2026
Last modified:
28/05/2026
Description
Default configurations of Apache Shiro have a session fixation vulnerability.<br />
<br />
This issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1.<br />
<br />
Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue.<br />
<br />
In the affected versions, when a session already exists, it is not invalidated upon successful login, nor is a new session being generated with a new ID.
Impact
Base Score 4.0
5.90
Severity 4.0
MEDIUM
Base Score 3.x
6.50
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:apache:shiro:*:*:*:*:*:*:*:* | 2.1.1 (excluding) | |
| cpe:2.3:a:apache:shiro:3.0.0:alpha1:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page



