Skip to main content

Apache Shiro CVE-2026-56130

| EUVDEUVD-2026-39229 LOW
Authentication Bypass by Capture-replay (CWE-294)
2.0
CVSS 4.0 · Vendor

Severity by source

Vendor (CNA) PRIMARY
2.0 LOW
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:X/V:D/RE:L/U:Green
vuln.today AI
7.4 HIGH

AC:H because exploitation requires prior cookie theft; C:H/I:H because replayed session grants full victim account access; no availability impact.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (CNA).

CVSS VectorVendor

CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:X/V:D/RE:L/U:Green
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
A
Scope
N

Lifecycle Timeline

2
CVSS changed
Jun 25, 2026 - 09:23 NVD
2.0 (LOW)
Analysis Generated
Jun 24, 2026 - 20:16 vuln.today

Description PRE-NVD

Disclosed via oss-security. NVD scoring and full description are pending.

AnalysisAI

Insufficient session expiration in Apache Shiro's RememberMe feature allows a stolen cookie to be replayed indefinitely, bypassing the configured cookie age restriction. All shiro-web deployments from version 1.2.4 through the entire 2.x line and the 3.0.0-alpha-1 pre-release are affected whenever RememberMe is enabled. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify Shiro app with RememberMe enabled
Delivery
Intercept or steal victim's RememberMe cookie
Exploit
Wait for cookie's configured expiry to pass
Execution
Replay expired cookie against application
Impact
Gain persistent authenticated session as victim

Vulnerability AssessmentAI

Exploitation Exploitation requires two conditions to be met simultaneously: first, the Apache Shiro application must have RememberMe functionality explicitly enabled (this is a configurable feature, not enabled in all deployments); second, the attacker must have already obtained a valid RememberMe cookie issued to a legitimate user, through a separate attack vector such as network interception, cross-site scripting, or access to browser storage. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Real-world risk is moderate-to-elevated for applications that rely on RememberMe for convenience. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker positioned to intercept HTTPS traffic via a MITM scenario on an untrusted network, or able to exfiltrate browser cookie storage through a separate XSS vulnerability, captures a victim's Shiro RememberMe cookie issued during an authenticated session. Even after the configured cookie expiration period passes and the victim's browser discards the cookie, the attacker replays the stolen cookie against the application and is granted full session access as the victim, indefinitely. …
Remediation Upgrade to Apache Shiro 3.0.0 or later, which is the vendor-confirmed fix version per the OSS-Security advisory (https://seclists.org/oss-sec/2026/q2/1019). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all Apache Shiro deployments; identify instances with RememberMe enabled; disable the RememberMe feature or activate WAF rules blocking suspicious cookie replay patterns. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-56130 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy