CVE-2026-43827

Severity CVSS v4.0:
MEDIUM
Type:
Unavailable / Other
Publication date:
25/05/2026
Last modified:
28/05/2026

Description

Default configurations of Apache Shiro have a session fixation vulnerability.<br /> <br /> This issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1.<br /> <br /> Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue.<br /> <br /> In the affected versions, when a session already exists, it is not invalidated upon successful login, nor is a new session being generated with a new ID.

Vulnerable products and versions

CPE From Up to
cpe:2.3:a:apache:shiro:*:*:*:*:*:*:*:* 2.1.1 (excluding)
cpe:2.3:a:apache:shiro:3.0.0:alpha1:*:*:*:*:*:*