CVE-2026-56130
Received Received - Intake
Insecure RememberMe Cookie Persistence in Apache Shiro

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: Apache Software Foundation

Description
"Remember me" cookie age is not verified on the server. This potentially allows an attacker to intercept a valid cookie and reuse it indefinitely, even after the configured expiration time has passed. This issue affects all Apache Shiro versions from 1.2.4 through 2.x, and 3.0.0-alpha-1, only when RememberMe functionality is enabled. Upgrade to version 3.0.0 or later, which fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-56130
EUVD
EUVD-2026-39229
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
apache shiro From 1.2.4 (inc) to 2.x (inc)
apache shiro 3.0.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-294 A capture-replay flaw exists when the design of the product makes it possible for a malicious user to sniff network traffic and bypass authentication by replaying it to the server in question to the same effect as the original message (or with minor changes).
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability occurs because the "Remember me" cookie age is not verified on the server side in affected Apache Shiro versions. As a result, an attacker who intercepts a valid "Remember me" cookie can reuse it indefinitely, even after the cookie's configured expiration time has passed.

It affects all Apache Shiro versions from 1.2.4 through 2.x, and 3.0.0-alpha-1, but only when the RememberMe functionality is enabled.

Impact Analysis

The vulnerability allows an attacker to reuse a valid "Remember me" cookie indefinitely, which can lead to unauthorized access to user accounts or sessions.

This means that even after a user’s session should have expired, an attacker with the intercepted cookie can continue to impersonate the user, potentially compromising sensitive information or functionality.

Mitigation Strategies

To mitigate this vulnerability, upgrade Apache Shiro to version 3.0.0 or later, which fixes the issue related to the "Remember me" cookie age not being verified on the server.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56130. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart