CVE Catalog

CVE-2026-56130

LowCVSS 2.0
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.20%

9th percentile — higher than 9% of all known CVEs

Summary

The age of the 'Remember me' cookie is not verified on the server, potentially allowing an attacker to intercept a valid cookie and reuse it indefinitely, even after the configured expiration time has passed.

Risk Assessment

The organization may be exposed to attacks where an attacker uses intercepted cookies to gain access to user accounts, leading to security breaches.

Recommendation

It is recommended to upgrade to version 3.0.0 or later, which fixes the issue.

Original NVD description (English source)

"Remember me" cookie age is not verified on the server. This potentially allows an attacker to intercept a valid cookie and reuse it indefinitely, even after the configured expiration time has passed. This issue affects all Apache Shiro versions from 1.2.4 through 2.x, and 3.0.0-alpha-1, only when RememberMe functionality is enabled. Upgrade to version 3.0.0 or later, which fixes the issue.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS