Vulnerability Description
"Remember me" cookie age is not verified on the server. This potentially allows an attacker to intercept a valid cookie and reuse it indefinitely, even after the configured expiration time has passed. This issue affects all Apache Shiro versions from 1.2.4 through 2.x, and 3.0.0-alpha-1, only when RememberMe functionality is enabled. Upgrade to version 3.0.0 or later, which fixes the issue.
Related Weaknesses (CWE)
References
- https://lists.apache.org/thread/9k9b3bmlq516ylvf7cdp3dlrtdtmxbmo
- http://www.openwall.com/lists/oss-security/2026/06/24/8
FAQ
What is CVE-2026-56130?
CVE-2026-56130 is a documented vulnerability. "Remember me" cookie age is not verified on the server. This potentially allows an attacker to intercept a valid cookie and reuse it indefinitely, even after the configured expiration time has passed....
How severe is CVE-2026-56130?
CVSS scoring is not yet available for CVE-2026-56130. Check NVD for updates.
Is there a patch for CVE-2026-56130?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.