CVE-2026-43827

UNKNOWN 0.0

Apache Shiro: Session fixation: new session is not created after login by default

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Default configurations of Apache Shiro have a session fixation vulnerability. This issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1. Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue. In the affected versions, when a session already exists, it is not invalidated upon successful login, nor is a new session being generated with a new ID.

CWE	CWE-384
Vendor	apache software foundation
Product	apache shiro
Published	May 25, 2026
Last Updated	May 26, 2026

Stay Ahead of the Next One

Get instant alerts for apache software foundation apache shiro

Be the first to know when new unknown vulnerabilities affecting apache software foundation apache shiro are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Apache Software Foundation / Apache Shiro

1.0 ≤ 2.1.0 3.0.0-alpha-0 ≤ 3.0.0-alpha-1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

shiro.apache.org: https://shiro.apache.org/security-reports.html#cve_2026_43827 openwall.com: http://www.openwall.com/lists/oss-security/2026/05/25/6

Credits

Rasmus Moorats <[email protected]> Lenny Primak <[email protected]>