CVE-2026-39324

Source
https://cve.org/CVERecord?id=CVE-2026-39324
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-39324.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-39324
Aliases
Downstream
Related
Published
2026-04-07T18:13:28.639Z
Modified
2026-07-15T01:49:00.190286943Z
Severity
  • 9.3 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
Rack::Session::Cookie secrets: decrypt failure fallback enables secretless session forgery and Marshal deserialization
Details

Rack::Session is a session management implementation for Rack. From 2.0.0 to before 2.1.2, Rack::Session::Cookie incorrectly handles decryption failures when configured with secrets:. If cookie decryption fails, the implementation falls back to a default decoder instead of rejecting the cookie. This allows an unauthenticated attacker to supply a crafted session cookie that is accepted as valid session data without knowledge of any configured secret. Because this mechanism is used to load session state, an attacker can manipulate session contents and potentially gain unauthorized access. This vulnerability is fixed in 2.1.2.

Database specific
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-287",
        "CWE-345",
        "CWE-502",
        "CWE-565"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/39xxx/CVE-2026-39324.json"
}
References

Affected packages

Git / github.com/rack/rack-session

Affected ranges

Type
GIT
Repo
https://github.com/rack/rack-session
Events
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "CPE_RANGE"
    ],
    "extracted_events": [
        {
            "introduced": "2.0.0"
        },
        {
            "fixed": "2.1.2"
        }
    ],
    "cpe": "cpe:2.3:a:rack:rack-session:*:*:*:*:*:ruby:*:*"
}

Affected versions

v2.*
v2.0.0
v2.1.0
v2.1.1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-39324.json"