VYPR
← All advisories
Unrated severityNVD Advisory· Published May 25, 2026

Apache Shiro: Session fixation: new session is not created after login by default

CVE-2026-43827

Description

Default configurations of Apache Shiro have a session fixation vulnerability.

This issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1.

Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue.

In the affected versions, when a session already exists, it is not invalidated upon successful login, nor is a new session being generated with a new ID.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Apache Shiro default configurations fail to invalidate existing sessions on login, enabling session fixation attacks in versions 1.0 to 2.1.0 and 3.0.0-alpha-1.

Vulnerability

Apache Shiro versions 1.0 through 2.1.0 and 3.0.0-alpha-1 have a session fixation vulnerability in their default configurations [1]. When a user logs in, the existing session is not invalidated and a new session ID is not generated, allowing an attacker to pre-set a session ID and have the victim authenticate with that session [1].

Exploitation

An attacker can craft a link containing a known session ID and trick a victim into clicking it, establishing a session on the Shiro application. When the victim logs in, the session ID remains the same, giving the attacker knowledge of the authenticated session ID [1]. No special network position or authentication is required beyond social engineering to deliver the session ID.

Impact

Successful exploitation allows an attacker to hijack the victim's authenticated session after login, gaining access to the victim's account and any associated data or actions [1]. This compromises confidentiality and integrity of user sessions.

Mitigation

Upgrade to Apache Shiro version 2.1.1, 2.2.0, 3.0.0-alpha-2, or later [1]. These versions invalidate the existing session and create a new session with a new ID upon successful login [1]. No workaround is provided for unpatched versions.

References
  1. Security Reports | Apache Shiro

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Apache/Shiroinferred2 versions
    >=1.0,<=2.1.0 || =3.0.0-alpha-1+ 1 more
    • (no CPE)range: >=1.0,<=2.1.0 || =3.0.0-alpha-1
    • (no CPE)range: >=1.0, <=2.1.0, =3.0.0-alpha-1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

1

News mentions

0

No linked articles in our index yet.