{"schema_version": "1.6.1", "id": "CVE-2026-43827", "summary": "Session fixation: new session is not created after login by default", "details": "Default configurations of Apache Shiro have a session fixation vulnerability.\n\nThis issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1.\n\nUsers are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue.\n\nIn the affected versions, when a session already exists, it is not invalidated upon successful login, nor is a new session being generated with a new ID.", "affected": [{"ranges": [{"type": "SEMVER", "events": [{"introduced": "1.0"}, {"last_affected": "1.0"}]}, {"type": "SEMVER", "events": [{"introduced": "3.0.0-alpha-0"}, {"last_affected": "3.0.0-alpha-0"}]}]}], "references": [{"type": "WEB", "url": "https://shiro.apache.org/security-reports.html#cve_2026_43827"}]}