CVE-2026-24894

Name of the Vulnerable Software and Affected Versions FrankenPHP versions prior to 1.11.2

Description FrankenPHP, when running in worker mode, does not correctly reset the $ SESSION superglobal between requests. This allows a subsequent request processed by the same worker to access the $ SESSION data of the previous request, potentially belonging to a different user, before session start() is called. The issue arises because $ SESSION is stored in the Zend Engine's symbol table and is not explicitly deleted by FrankenPHP's reset logic. This results in a cross-request data leakage, potentially exposing sensitive information like authentication tokens, user IDs, and PII. The vulnerability affects applications that read $ SESSION before calling session start(). A proof of concept demonstrates that a request from Client A setting session data can be accessed by Client B without a new session being initiated.

Recommendations Versions prior to 1.11.2 should be updated to version 1.11.2 or later. As a temporary workaround, ensure session start() is called immediately at the entry point of your worker script. Alternatively, manually unset $ SESSION at the very beginning of the worker loop, before handling the request.