Description
A security flaw has been discovered in perfree go-fastdfs-web up to 1.3.7. This affects the function rememberMeManager of the file src/main/java/com/perfree/config/ShiroConfig.java of the component Apache Shiro RememberMe. Performing a manipulation results in use of hard-coded cryptographic key
. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitability is reported as difficult. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-03-11
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Potential unauthorized access
Action: Upgrade
AI Analysis

Impact

Perfree go-fastdfs-web versions 1.3.7 and earlier contain a flaw in the ShiroConfig rememberMeManager. A hard‑coded cryptographic key is used to encrypt and decrypt the RememberMe cookie, as noted in the vendor description. Because the key is static, an attacker can potentially forge or decrypt RememberMe tokens. The description does not state the exact impact, but a hard‑coded key in an authentication component commonly allows unauthorized access or session hijacking. This potential impact is inferred from the nature of the vulnerability and the use of a static key within the authentication flow.

Affected Systems

The CVE applies to the perfree:go-fastdfs-web application, with affected versions up to version 1.3.7, as indicated in the vendor description. No later versions are mentioned in the input. Users running any release of perfree go-fastdfs-web 1.3.7 or earlier are therefore potentially vulnerable.

Risk and Exploitability

The CVSS score of 6.3 places the weakness in the medium severity range, while a low EPSS (<1%) suggests that it is not currently widely exploited. The vendor has not published a fix, and the CVE is not listed in the CISA KEV catalog. The attack vector is remote, exploiting the RememberMe feature; the description states that manipulation results in use of the static key, and the exploit is reported as difficult but has been released publicly. Thus, the risk is moderate with a low probability of active exploitation at present, but the availability of a public exploit makes it prudent to act.

Generated by OpenCVE AI on March 17, 2026 at 17:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade perfree go-fastdfs-web to a version beyond 1.3.7 if a patch or newer release removes the hard‑coded key.
  • Disable the RememberMe feature in Apache Shiro or configure it with a securely generated key instead of the static one.
  • Monitor application logs for unusual authentication token activity or cryptographic errors that may indicate exploitation attempts.
  • Keep the application and any underlying libraries up to date; check the vendor or open‑source repository for any updates or configuration guidance.

Generated by OpenCVE AI on March 17, 2026 at 17:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 12 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 12 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Perfree
Perfree go-fastdfs-web
Vendors & Products Perfree
Perfree go-fastdfs-web

Wed, 11 Mar 2026 23:15:00 +0000

Type Values Removed Values Added
Description A security flaw has been discovered in perfree go-fastdfs-web up to 1.3.7. This affects the function rememberMeManager of the file src/main/java/com/perfree/config/ShiroConfig.java of the component Apache Shiro RememberMe. Performing a manipulation results in use of hard-coded cryptographic key . The attack can be initiated remotely. The complexity of an attack is rather high. The exploitability is reported as difficult. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Title perfree go-fastdfs-web Apache Shiro RememberMe ShiroConfig.java rememberMeManager hard-coded key
Weaknesses CWE-320
CWE-321
References
Metrics cvssV2_0

{'score': 2.6, 'vector': 'AV:N/AC:H/Au:N/C:P/I:N/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 3.7, 'vector': 'CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Perfree Go-fastdfs-web
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-12T13:35:12.584Z

Reserved: 2026-03-11T12:58:50.832Z

Link: CVE-2026-3963

cve-icon Vulnrichment

Updated: 2026-03-12T13:35:08.764Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-11T23:16:00.983

Modified: 2026-03-12T21:07:53.427

Link: CVE-2026-3963

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:36:40Z

Weaknesses