CVE-2026-39324
Published: 07 April 2026
Summary
CVE-2026-39324 is a critical-severity Improper Authentication (CWE-287) vulnerability in Rack Rack-Session. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 19.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely flaw remediation through upgrading Rack::Session to version 2.1.2 directly eliminates the vulnerability allowing forged session cookies.
Session authenticity mechanisms ensure communications sessions, including cookie-based web sessions, cannot be forged or manipulated without proper validation.
Information input validation of session cookies prevents the server from accepting and deserializing tampered or invalid session data.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing web application (Rack::Session) enables remote exploitation (T1190) to forge session cookies without secrets (T1606.001), allowing unauthorized access and impersonation.
NVD Description
Rack::Session is a session management implementation for Rack. From 2.0.0 to before 2.1.2, Rack::Session::Cookie incorrectly handles decryption failures when configured with secrets:. If cookie decryption fails, the implementation falls back to a default decoder instead of rejecting the cookie. This…
more
allows an unauthenticated attacker to supply a crafted session cookie that is accepted as valid session data without knowledge of any configured secret. Because this mechanism is used to load session state, an attacker can manipulate session contents and potentially gain unauthorized access. This vulnerability is fixed in 2.1.2.
Deeper analysisAI
Rack::Session, a session management implementation for the Rack web server interface used in Ruby applications, contains a vulnerability (CVE-2026-39324) affecting versions from 2.0.0 up to but not including 2.1.2. The flaw occurs in Rack::Session::Cookie when configured with secrets, where decryption failures are mishandled. Instead of rejecting invalid cookies, the code falls back to a default decoder, enabling acceptance of tampered session data without requiring knowledge of the configured secret.
An unauthenticated attacker with network access can exploit this remotely with low complexity and no privileges (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, score 9.8). By supplying a crafted session cookie, the attacker can forge valid session state, manipulate session contents, and potentially achieve unauthorized access to the application, such as impersonating users or escalating privileges depending on the session's role in the app.
The GitHub security advisory (GHSA-33qg-7wpp-89cq) confirms the issue and states it is fixed in Rack::Session version 2.1.2, recommending immediate upgrades for affected installations. Associated CWEs include CWE-287 (Improper Authentication), CWE-345 (Insufficient Verification of Data Authenticity), CWE-502 (Deserialization of Untrusted Data), and CWE-565 (Reliance on Cookies without Validation and Integrity Checking).
Details
- CWE(s)