CVE-2026-39324

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Rack::Session versions 2.0.0 through 2.1.1

Description Rack::Session is a session management implementation for Rack. Versions 2.0.0 through 2.1.1 incorrectly handle decryption failures when configured with secrets. If cookie decryption fails, the implementation falls back to a default decoder instead of rejecting the cookie. This allows an unauthenticated attacker to supply a crafted session cookie that is accepted as valid session data without knowledge of any configured secret. An attacker can manipulate session contents and potentially gain unauthorized access.

Recommendations Update Rack::Session to version 2.1.2 or later.

Exploit

Fix

RCE

Insufficient Verification of Data Authenticity

Improper Authentication

Deserialization of Untrusted Data

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-345CWE-287CWE-502CWE-565

Related Identifiers

CVE-2026-39324

GHSA-33QG-7WPP-89CQ

OPENSUSE-SU-2026:10604-1

USN-8190-1

USN-8190-2

Affected Products

Rack::Session

CVE-2026-39324

Weakness Enumeration

Related Identifiers

Affected Products

References · 23