← All CVEs

CVE-2026-43827

MEDIUM 5.9

Published 2026-05-25 · Last modified 2026-05-26

Default configurations of Apache Shiro have a session fixation vulnerability. This issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1. Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue. In the affected versions, when a session already exists, it is not invalidated upon successful login, nor is a new session being generated with a new ID.

NO EXPLOITATION SIGNALS

No known exploitation, public exploit, or elevated probability at this time. Track for changes.

Exploitation likelihood

0.4%chance of exploitation in 30 days · 33rd percentile

○ In CISA KEV ○ Public exploit / PoC

Impact if exploited

5.9CVSS 4.0 · MEDIUM

  • ConfidentialityHigh
  • IntegrityNone
  • AvailabilityNone

What an attacker needs

  • Access: Reachable over the network — no local access needed
  • Privileges: No account or privileges required
  • User interaction: Requires active user interaction
  • Complexity: No special conditions — reliably repeatable
  • Requirements: Specific conditions must be present

✓ lowers the bar for an attacker · ⚠ raises it

Affected

Vendors Apache Software Foundation

Products Apache Shiro

Weakness (CWE)

  • CWE-384

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/AU:Y/R:U/RE:L/U:Amber

Sources: NVD · CVE.org · EPSS