CVE-2026-43827
Session Fixation in Apache Shiro
Publication date: 2026-05-25
Last updated on: 2026-05-25
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | shiro | From 1.0 (inc) to 2.1.1 (exc) |
| apache | shiro | 2.1.0 |
| apache | shiro | 3.0.0-alpha-1 |
| apache | shiro | 2.1.1 |
| apache | shiro | 3.0.0-alpha-2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-384 | Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a session fixation issue found in default configurations of Apache Shiro versions from 1.0 to 2.1.0 and 3.0.0-alpha-1.
In the affected versions, when a user logs in successfully, the existing session is not invalidated and no new session with a new ID is created.
This means an attacker could potentially fixate a session ID and hijack a user's session.
How can this vulnerability impact me? :
The vulnerability can allow an attacker to hijack a user's session by exploiting the fact that the session ID does not change upon login.
This can lead to unauthorized access to user accounts and sensitive information.
What immediate steps should I take to mitigate this vulnerability?
To mitigate the session fixation vulnerability in Apache Shiro, users are recommended to upgrade to version 2.1.1 or 3.0.0-alpha-2 or later, as these versions fix the issue.
The vulnerability arises because in affected versions (1.0 to 2.1.0 and 3.0.0-alpha-1), when a session already exists, it is not invalidated upon successful login, nor is a new session generated with a new ID.