Session Management Flaw in Apache Shiro Affects Cookie Security
CVE-2026-56130

2LOW

Key Information:

Vendor: Apache
Status: Apache Shiro
Vendor: CVE Published:; 25 June 2026

What is CVE-2026-56130?

Apache Shiro versions from 1.2.4 through 2.x, and 3.0.0-alpha-1 are affected by a session management vulnerability related to the 'Remember Me' cookie functionality. The server does not properly verify the age of the cookie, which can allow an attacker to intercept and reuse valid session cookies indefinitely. This flaw can compromise user sessions even after the cookies' configured expiration time, potentially leading to unauthorized access. It's crucial for users to upgrade to version 3.0.0 or later to mitigate this risk.

Affected Version(s)

Apache Shiro 1.2.4 <= 2.99.99

Apache Shiro 3.0.0-alpha-0 <= 3.0.0-alpha-1

References

https://lists.apache.org/thread/9k9b3bmlq516ylvf7cdp3dlrt...

vendor-advisory

CVSS V4

Score:

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 25, 2026
Vulnerability Reserved
Jun 19, 2026

Credit

Richard Bradley

Lenny Primak <lenny@flowlogix.com>

CVE-2026-56130 Data

JSON