CVE-2026-56130
Received Received - Intake

Insecure RememberMe Cookie Persistence in Apache Shiro

Vulnerability report for CVE-2026-56130, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: Apache Software Foundation

Description

"Remember me" cookie age is not verified on the server. This potentially allows an attacker to intercept a valid cookie and reuse it indefinitely, even after the configured expiration time has passed. This issue affects all Apache Shiro versions from 1.2.4 through 2.x, and 3.0.0-alpha-1, only when RememberMe functionality is enabled. Upgrade to version 3.0.0 or later, which fixes the issue.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-07-15
AI Q&A
2026-06-25
EPSS Evaluated
2026-07-14
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
apache shiro From 1.2.4 (inc) to 2.x (inc)
apache shiro 3.0.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-294 A capture-replay flaw exists when the design of the product makes it possible for a malicious user to sniff network traffic and bypass authentication by replaying it to the server in question to the same effect as the original message (or with minor changes).

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability occurs because the "Remember me" cookie age is not verified on the server side in affected Apache Shiro versions. As a result, an attacker who intercepts a valid "Remember me" cookie can reuse it indefinitely, even after the cookie's configured expiration time has passed.

It affects all Apache Shiro versions from 1.2.4 through 2.x, and 3.0.0-alpha-1, but only when the RememberMe functionality is enabled.

Impact Analysis

The vulnerability allows an attacker to reuse a valid "Remember me" cookie indefinitely, which can lead to unauthorized access to user accounts or sessions.

This means that even after a user’s session should have expired, an attacker with the intercepted cookie can continue to impersonate the user, potentially compromising sensitive information or functionality.

Mitigation Strategies

To mitigate this vulnerability, upgrade Apache Shiro to version 3.0.0 or later, which fixes the issue related to the "Remember me" cookie age not being verified on the server.

Compliance Impact

The vulnerability allows an attacker to reuse a valid "remember me" cookie indefinitely by not verifying its age on the server side. This could lead to unauthorized access to user accounts beyond the intended session duration.

Such unauthorized access risks violating security and privacy requirements in common standards and regulations like GDPR and HIPAA, which mandate proper session management and protection of user data to prevent unauthorized access.

Therefore, this vulnerability potentially undermines compliance with these regulations by enabling prolonged unauthorized access through session hijacking.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56130. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart