Description
Default configurations of Apache Shiro have a session fixation vulnerability.

This issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1.

Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue.

In the affected versions, when a session already exists, it is not invalidated upon successful login, nor is a new session being generated with a new ID.
Published: 2026-05-25
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Apache Shiro’s default configuration permits a session‑fixation attack because a new session is not created during login. If an existing session remains active after authentication, an attacker who can set or predict the session identifier before login can hijack that authenticated session. This flaw is classified as CWE‑384 and can compromise confidentiality, integrity, and availability of data accessed with the hijacked session.

Affected Systems

Apache Shiro versions from 1.0 through 2.1.0 and the 3.0.0‑alpha‑1 release are affected. Users must upgrade to at least 2.1.1 or 3.0.0‑alpha‑2, which address the session‑fixation behavior.

Risk and Exploitability

The vulnerability carries a CVSS score of 5.9, indicating moderate severity, and is not currently listed in CISA’s KEV catalog. Although EPSS is not reported, the fix is straightforward and the risk remains significant when an attacker can influence session identifiers. The likely attack vector involves sending a crafted cookie or URL parameter that establishes a session before authentication, followed by a standard login to retain that session.

Generated by OpenCVE AI on May 25, 2026 at 21:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache Shiro to version 2.1.1 or later, or 3.0.0‑alpha‑2, which validates and invalidates sessions on authentication.
  • Confirm that the deployment’s configuration enforces session invalidation on login; if using custom settings, explicitly enable the session‑fixation protection flag if available.
  • After patching, verify that new sessions are created with fresh identifiers upon authentication to ensure the session‑fixation vector is eliminated.

Generated by OpenCVE AI on May 25, 2026 at 21:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 26 May 2026 13:45:00 +0000

Type Values Removed Values Added
References

Tue, 26 May 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 25 May 2026 20:45:00 +0000

Type Values Removed Values Added
Description Default configurations of Apache Shiro have a session fixation vulnerability. This issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1. Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue. In the affected versions, when a session already exists, it is not invalidated upon successful login, nor is a new session being generated with a new ID.
Title Apache Shiro: Session fixation: new session is not created after login by default
Weaknesses CWE-384
References
Metrics cvssV4_0

{'score': 5.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/AU:Y/R:U/RE:L/U:Amber'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-05-26T12:39:39.186Z

Reserved: 2026-05-02T22:26:19.626Z

Link: CVE-2026-43827

cve-icon Vulnrichment

Updated: 2026-05-25T21:26:12.053Z

cve-icon NVD

Status : Received

Published: 2026-05-25T21:16:34.700

Modified: 2026-05-25T22:16:33.650

Link: CVE-2026-43827

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-25T21:30:06Z

Weaknesses