Home

Description

"Remember me" cookie age is not verified on the server. This potentially allows an attacker to intercept a valid cookie and reuse it indefinitely, even after the configured expiration time has passed. This issue affects all Apache Shiro versions from 1.2.4 through 2.x, and 3.0.0-alpha-1, only when RememberMe functionality is enabled. Upgrade to version 3.0.0 or later, which fixes the issue.

PUBLISHED Reserved 2026-06-19 | Published 2026-06-25 | Updated 2026-06-25 | Assigner apache




LOW: 2.0CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/S:N/AU:Y/V:D/RE:L/U:Green

Problem types

CWE-294 Authentication Bypass by Capture-replay

Product status

Default status
unaffected

1.2.4 (semver)
affected

3.0.0-alpha-0 (semver)
affected

Credits

Richard Bradley finder

Lenny Primak <lenny@flowlogix.com> remediation developer

References

www.openwall.com/lists/oss-security/2026/06/24/8

lists.apache.org/thread/9k9b3bmlq516ylvf7cdp3dlrtdtmxbmo vendor-advisory

cve.org (CVE-2026-56130)

nvd.nist.gov (CVE-2026-56130)

Download JSON