CVE-2026-56130

Sažetak

"Remember me" cookie age is not verified on the server. This potentially allows an attacker to intercept a valid cookie and reuse it indefinitely, even after the configured expiration time has passed. This issue affects all Apache Shiro versions from 1.2.4 through 2.x, and 3.0.0-alpha-1, only when RememberMe functionality is enabled. Upgrade to version 3.0.0 or later, which fixes the issue.

Reference

https://lists.apache.org/thread/9k9b3bmlq516ylvf7cdp3dlrtdtmxbmo
http://www.openwall.com/lists/oss-security/2026/06/24/8

CVSS

Base:	0.0
Impact:	None
Exploitability:	None

Pristup

Vektor	Složenost	Autentikacija
None	None	None

Impact

Povjerljivost	Cjelovitost	Dostupnost
None	None	None

CVSS vektor

None

Zadnje važnije ažuriranje

25-06-2026 - 13:27

Objavljeno

25-06-2026 - 09:16