Description
"Remember me" cookie age is not verified on the server. This potentially allows an attacker to intercept a valid cookie and reuse it indefinitely, even after the configured expiration time has passed.
This issue affects all Apache Shiro versions from 1.2.4 through 2.x, and 3.0.0-alpha-1, only when RememberMe functionality is enabled.


Upgrade to version 3.0.0 or later, which fixes the issue.
Published: 2026-06-25
Score: 2 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The remember‑me cookie expiration is not validated server‑side, allowing an attacker who obtains a valid cookie to replay it indefinitely. This permits unauthorized session persistence and potential impersonation of legitimate users. The flaw aligns with CWE‑294.

Affected Systems

Apache Shiro versions 1.2.4 through 2.x and 3.0.0‑alpha‑1 are affected when RememberMe is enabled. All newer releases starting at 3.0.0 address this flaw.

Risk and Exploitability

The CVSS score of 2 indicates low severity, and the EPSS score is unavailable, suggesting limited exploitation evidence. The vulnerability is not listed in KEV. An attacker requires only a captured cookie to exploit, lacking any privileged conditions; impact is confined to session hijacking. Given the low severity, monitoring and patching remain prudent.

Generated by OpenCVE AI on June 25, 2026 at 11:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Apache Shiro 3.0.0 or later, which includes the fix for the cookie expiry check.
  • If an upgrade is not immediately possible, disable the RememberMe feature or configure it to eliminate session persistence beyond expiration.
  • After any remediation, clear existing remember‑me cookies or force a re‑authentication to invalidate stolen tokens.
  • Consider enabling secure attributes such as Secure and HttpOnly on the cookie to reduce interception risk.

Generated by OpenCVE AI on June 25, 2026 at 11:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 30 Jun 2026 00:45:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

cvssV3_1

{'score': 3.0, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:N/A:N'}

threat_severity

Low


Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache shiro
Vendors & Products Apache
Apache shiro

Thu, 25 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 25 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description "Remember me" cookie age is not verified on the server. This potentially allows an attacker to intercept a valid cookie and reuse it indefinitely, even after the configured expiration time has passed. This issue affects all Apache Shiro versions from 1.2.4 through 2.x, and 3.0.0-alpha-1, only when RememberMe functionality is enabled. Upgrade to version 3.0.0 or later, which fixes the issue.
Title Apache Shiro: Remember-me cookie isn't checked for expiry on the server
Weaknesses CWE-294
References
Metrics cvssV4_0

{'score': 2, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/S:N/AU:Y/V:D/RE:L/U:Green'}


cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-06-25T12:12:43.666Z

Reserved: 2026-06-19T02:22:39.706Z

Link: CVE-2026-56130

cve-icon Vulnrichment

Updated: 2026-06-25T09:10:12.244Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Low

Publid Date: 2026-06-25T08:44:30Z

Links: CVE-2026-56130 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:38:22Z

Weaknesses
  • CWE-294

    Authentication Bypass by Capture-replay