Vulnerability in Apache Software Foundation Shiro

CVE-2026-56130

"Remember me" cookie age is not verified on the server. This potentially allows an attacker to intercept a valid cookie and reuse it indefinitely, even after the configured expiration time has passed. This issue affects all Apache Shiro ve…

EPSS: 0.002 (9.4th percentile) — read the EPSS interpretation.

Affected products

Apache Software Foundation Shiro — versions 1.2.4, 3.0.0-alpha-0

Weakness classification (CWE)

CWE-294 — Authentication Bypass by Capture-replay

References

security@apache.org (vendor-advisory)
af854a3a-2127-422b-91ae-364da2661108