CVE-2026-39324

EUVD-2026-19820

07.04.2026, 18:16

Rack::Session is a session management implementation for Rack. From 2.0.0 to before 2.1.2, Rack::Session::Cookie incorrectly handles decryption failures when configured with secrets:. If cookie decryption fails, the implementation falls back to a default decoder instead of rejecting the cookie. This allows an unauthenticated attacker to supply a crafted session cookie that is accepted as valid session data without knowledge of any configured secret. Because this mechanism is used to load session state, an attacker can manipulate session contents and potentially gain unauthorized access. This vulnerability is fixed in 2.1.2.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	9.8 CRITICAL	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 19%

Affected Products (NVD)

Vendor	Product	Version
rack	rack-session	2.0.0 ≤ 𝑥 < 2.1.2

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

ruby-rack-session

forky	2.1.1-0.2 fixed
sid	2.1.1-0.2 fixed
trixie	vulnerable

Ubuntu Releases

Ubuntu Product

Codename

ruby-rack

bionic	not-affected
focal	not-affected
jammy	not-affected
noble	not-affected
questing	not-affected
resolute	not-affected
trusty	not-affected
xenial	not-affected

ruby-rack-session

jammy	dne
noble	dne
questing	Fixed 2.1.1-0.1ubuntu0.1 released
resolute	Fixed 2.1.1-0.1ubuntu0.26.04.1 released

Common Weakness Enumeration

CWE-287 - Improper Authentication
When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct.

References

https://github.com/rack/rack-session/security/advisories/GHSA-33qg-7wpp-89cq