GHSA-m8g6-vrr2-x7ff
Severity by source
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:X/V:D/RE:L/U:Green
AC:H because exploitation requires prior cookie theft; C:H/I:H because replayed session grants full victim account access; no availability impact.
Primary rating from Vendor (CNA).
CVSS VectorVendor
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:X/V:D/RE:L/U:Green
Lifecycle Timeline
2Description PRE-NVD
Articles & Coverage 2
AnalysisAI
Insufficient session expiration in Apache Shiro's RememberMe feature allows a stolen cookie to be replayed indefinitely, bypassing the configured cookie age restriction. All shiro-web deployments from version 1.2.4 through the entire 2.x line and the 3.0.0-alpha-1 pre-release are affected whenever RememberMe is enabled. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires two conditions to be met simultaneously: first, the Apache Shiro application must have RememberMe functionality explicitly enabled (this is a configurable feature, not enabled in all deployments); second, the attacker must have already obtained a valid RememberMe cookie issued to a legitimate user, through a separate attack vector such as network interception, cross-site scripting, or access to browser storage. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Real-world risk is moderate-to-elevated for applications that rely on RememberMe for convenience. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker positioned to intercept HTTPS traffic via a MITM scenario on an untrusted network, or able to exfiltrate browser cookie storage through a separate XSS vulnerability, captures a victim's Shiro RememberMe cookie issued during an authenticated session. Even after the configured cookie expiration period passes and the victim's browser discards the cookie, the attacker replays the stolen cookie against the application and is granted full session access as the victim, indefinitely. … |
| Remediation | Upgrade to Apache Shiro 3.0.0 or later, which is the vendor-confirmed fix version per the OSS-Security advisory (https://seclists.org/oss-sec/2026/q2/1019). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all Apache Shiro deployments; identify instances with RememberMe enabled; disable the RememberMe feature or activate WAF rules blocking suspicious cookie replay patterns. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-294 – Authentication Bypass by Capture-replay
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39229