CVE-2026-56130

UNKNOWN 0.0

Apache Shiro: Remember-me cookie isn't checked for expiry on the server

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

"Remember me" cookie age is not verified on the server. This potentially allows an attacker to intercept a valid cookie and reuse it indefinitely, even after the configured expiration time has passed. This issue affects all Apache Shiro versions from 1.2.4 through 2.x, and 3.0.0-alpha-1, only when RememberMe functionality is enabled. Upgrade to version 3.0.0 or later, which fixes the issue.

CWE	CWE-294
Vendor	apache software foundation
Product	apache shiro
Published	Jun 25, 2026
Last Updated	Jun 25, 2026

Stay Ahead of the Next One

Get instant alerts for apache software foundation apache shiro

Be the first to know when new unknown vulnerabilities affecting apache software foundation apache shiro are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Apache Software Foundation / Apache Shiro

1.2.4 ≤ 2.99.99 3.0.0-alpha-0 ≤ 3.0.0-alpha-1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

lists.apache.org: https://lists.apache.org/thread/9k9b3bmlq516ylvf7cdp3dlrtdtmxbmo openwall.com: http://www.openwall.com/lists/oss-security/2026/06/24/8

Credits

Richard Bradley Lenny Primak <[email protected]>