VYPR
Medium severity6.5NVD Advisory· Published May 25, 2026· Updated May 28, 2026

CVE-2026-43827

CVE-2026-43827

Description

Default configurations of Apache Shiro have a session fixation vulnerability.

This issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1.

Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue.

In the affected versions, when a session already exists, it is not invalidated upon successful login, nor is a new session being generated with a new ID.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Apache/Shiroinferred2 versions
    >=1.0,<=2.1.0 || =3.0.0-alpha-1+ 1 more
    • (no CPE)range: >=1.0,<=2.1.0 || =3.0.0-alpha-1
    • (no CPE)range: >=1.0, <=2.1.0, =3.0.0-alpha-1

Patches

Vulnerability mechanics

References

2

News mentions

1