CVE-2026-39324

EPSS 0.06%
Veröffentlicht 07.04.2026 18:16:43
Zuletzt bearbeitet 15.04.2026 20:17:18
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Rack::Session::Cookie secrets: decrypt failure fallback enables secretless session forgery and Marshal deserialization

Rack::Session is a session management implementation for Rack. From 2.0.0 to before 2.1.2, Rack::Session::Cookie incorrectly handles decryption failures when configured with secrets:. If cookie decryption fails, the implementation falls back to a default decoder instead of rejecting the cookie. This allows an unauthenticated attacker to supply a crafted session cookie that is accepted as valid session data without knowledge of any configured secret. Because this mechanism is used to load session state, an attacker can manipulate session contents and potentially gain unauthorized access. This vulnerability is fixed in 2.1.2.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 4 Referenzen 4

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Rack ≫ Rack-session SwPlatformruby Version >= 2.0.0 < 2.1.2

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.06%	0.197

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
security-advisories@github.com	9.3	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

CWE-345 Insufficient Verification of Data Authenticity

The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

CWE-502 Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

CWE-565 Reliance on Cookies without Validation and Integrity Checking

The product relies on the existence or values of cookies when performing security-critical operations, but it does not properly ensure that the setting is valid for the associated user.

https://github.com/rack/rack-session/security/advisories/GHSA-33qg-7wpp-89cq

Vendor Advisory

Mitigation

https://nvd.nist.gov/vuln/detail/CVE-2026-39324

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-39324

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-39324

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-39324