CVE-2026-56130
LowCVSS 2.0Exploitation Probability (EPSS)
Low risk9th percentile — higher than 9% of all known CVEs
Summary
The age of the 'Remember me' cookie is not verified on the server, potentially allowing an attacker to intercept a valid cookie and reuse it indefinitely, even after the configured expiration time has passed.
Risk Assessment
The organization may be exposed to attacks where an attacker uses intercepted cookies to gain access to user accounts, leading to security breaches.
Recommendation
It is recommended to upgrade to version 3.0.0 or later, which fixes the issue.
Original NVD description (English source)
"Remember me" cookie age is not verified on the server. This potentially allows an attacker to intercept a valid cookie and reuse it indefinitely, even after the configured expiration time has passed. This issue affects all Apache Shiro versions from 1.2.4 through 2.x, and 3.0.0-alpha-1, only when RememberMe functionality is enabled. Upgrade to version 3.0.0 or later, which fixes the issue.

