MEDIUM

GHSA-fcvm-3cpj-f9qx

Apache Shiro has a session fixation vulnerability

Details

Default configurations of Apache Shiro have a session fixation vulnerability.

This issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1.

Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue.

In the affected versions, when a session already exists, it is not invalidated upon successful login, nor is a new session being generated with a new ID.

Are you affected?

Enter the version of the package you're using.

Affected packages

Maven / org.apache.shiro:shiro-core

Introduced in: 1.0.0-incubating Fixed in: 2.2.0

Fix # pom.xml: bump <version>2.2.0</version> for org.apache.shiro:shiro-core

Maven / org.apache.shiro:shiro-core

Introduced in: 3.0.0-alpha-1 Fixed in: 3.0.0-alpha-2

Fix # pom.xml: bump <version>3.0.0-alpha-2</version> for org.apache.shiro:shiro-core

References

https://nvd.nist.gov/vuln/detail/CVE-2026-43827 [ADVISORY]
https://github.com/apache/shiro [PACKAGE]
https://shiro.apache.org/security-reports.html#cve_2026_43827 [WEB]
http://www.openwall.com/lists/oss-security/2026/05/25/6 [WEB]