Apache Shiro session fixation (1.0-2.1.0, 3.0.0-alpha-1)
CVE-2026-43827 Published on May 25, 2026

Apache Shiro: Session fixation: new session is not created after login by default
Default configurations of Apache Shiro have a session fixation vulnerability. This issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1. Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue. In the affected versions, when a session already exists, it is not invalidated upon successful login, nor is a new session being generated with a new ID.

Vendor Advisory NVD

Weakness Type

Session Fixation

Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.

Products Associated with CVE-2026-43827

Want to know whenever a new CVE is published for Apache Shiro? stack.watch will email you.

Apache Shiro

Affected Versions

Apache Software Foundation Apache Shiro:

Version 1.0, <= 2.1.0 is affected.
Version 3.0.0-alpha-0, <= 3.0.0-alpha-1 is affected.

Apache Shiro session fixation (1.0-2.1.0, 3.0.0-alpha-1)CVE-2026-43827 Published on May 25, 2026

Weakness Type

Session Fixation

Products Associated with CVE-2026-43827

Affected Versions

Apache Shiro session fixation (1.0-2.1.0, 3.0.0-alpha-1)
CVE-2026-43827 Published on May 25, 2026