CVE-2026-56130 PUBLISHED

Apache Shiro: Remember-me cookie isn't checked for expiry on the server

Assigner: apache
Reserved: 19.06.2026 Published: 25.06.2026 Updated: 25.06.2026

"Remember me" cookie age is not verified on the server. This potentially allows an attacker to intercept a valid cookie and reuse it indefinitely, even after the configured expiration time has passed. This issue affects all Apache Shiro versions from 1.2.4 through 2.x, and 3.0.0-alpha-1, only when RememberMe functionality is enabled.

Upgrade to version 3.0.0 or later, which fixes the issue.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/S:N/AU:Y/V:D/RE:L/U:Green
CVSS Score: 2

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	Low	Confidentiality	Low
Attack Complexity	High	Integrity	None	Integrity	None
Attack Requirements	None	Availability	None	Availability	None
Privileges Required	Low
User Interaction	Active

CVSS 4.0

Product Status

Vendor	Apache Software Foundation
Product	Apache Shiro
Versions	Default: unaffected affected from 1.2.4 to 2.99.99 (incl.) affected from 3.0.0-alpha-0 to 3.0.0-alpha-1 (incl.)

Credits

Richard Bradley finder
Lenny Primak <lenny@flowlogix.com> remediation developer

References

https://lists.apache.org/thread/9k9b3bmlq516ylvf7cdp3dlrtdtmxbmo

Problem Types

CWE-294 Authentication Bypass by Capture-replay CWE