Session Fixation Vulnerability in Apache Shiro by Apache Software Foundation
CVE-2026-43827

5.9MEDIUM

Key Information:

Vendor: Apache
Status: Apache Shiro
Vendor: CVE Published:; 25 May 2026

What is CVE-2026-43827?

Apache Shiro versions 1.0 through 2.1.0 and 3.0.0-alpha-1 exhibit a session fixation vulnerability. In these versions, if a session already exists at the time of a successful login, the session is not invalidated, and a new session ID is not created. This behavior permits an attacker to exploit the session fixation vector, potentially leading to unauthorized actions under the victim’s session. Users are strongly recommended to upgrade to Apache Shiro version 2.1.1 or 3.0.0-alpha-2 or later, which effectively resolves this issue. For more information, refer to the vendor's security reports.

Affected Version(s)

Apache Shiro 1.0 <= 2.1.0

Apache Shiro 3.0.0-alpha-0 <= 3.0.0-alpha-1

References

https://shiro.apache.org/security-reports.html#cve_2026_4...

vendor-advisory

CVSS V4

Score:

5.9

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 25, 2026
Vulnerability Reserved
May 2, 2026

Credit

Rasmus Moorats <xx@nns.ee>

Lenny Primak <lenny@flowlogix.com>

CVE-2026-43827 Data

JSON