Cyber Resilience

CVE-2026-39324

CriticalRCE

Published: 07 April 2026

Published
07 April 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0027 18.4th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-39324 is a critical-severity Improper Authentication (CWE-287) vulnerability in Rack Rack-Session. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 18.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).

Deeper analysis

Rack::Session, a session management implementation for the Rack web server interface used in Ruby applications, contains a vulnerability (CVE-2026-39324) affecting versions from 2.0.0 up to but not including 2.1.2. The flaw occurs in Rack::Session::Cookie when configured with secrets, where decryption failures are mishandled. Instead of rejecting invalid cookies, the code falls back to a default decoder, enabling acceptance of tampered session data without requiring knowledge of the configured secret.

An unauthenticated attacker with network access can exploit this remotely with low complexity and no privileges (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, score 9.8). By supplying a crafted session cookie, the attacker can forge valid session state, manipulate session contents, and potentially achieve unauthorized access to the application, such as impersonating users or escalating privileges depending on the session's role in the app.

The GitHub security advisory (GHSA-33qg-7wpp-89cq) confirms the issue and states it is fixed in Rack::Session version 2.1.2, recommending immediate upgrades for affected installations. Associated CWEs include CWE-287 (Improper Authentication), CWE-345 (Insufficient Verification of Data Authenticity), CWE-502 (Deserialization of Untrusted Data), and CWE-565 (Reliance on Cookies without Validation and Integrity Checking).

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Rack::Session is a session management implementation for Rack. From 2.0.0 to before 2.1.2, Rack::Session::Cookie incorrectly handles decryption failures when configured with secrets:. If cookie decryption fails, the implementation falls back to a default decoder instead of rejecting the cookie. This…

more

allows an unauthenticated attacker to supply a crafted session cookie that is accepted as valid session data without knowledge of any configured secret. Because this mechanism is used to load session state, an attacker can manipulate session contents and potentially gain unauthorized access. This vulnerability is fixed in 2.1.2.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1606.001 Web Cookies Credential Access
Adversaries may forge web cookies that can be used to gain access to web applications or Internet services.
Why these techniques?

Vulnerability in public-facing web application (Rack::Session) enables remote exploitation (T1190) to forge session cookies without secrets (T1606.001), allowing unauthorized access and impersonation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-34785Same vendor: Rack
CVE-2026-34829Same vendor: Rack
CVE-2026-34830Same vendor: Rack
CVE-2026-22860Same vendor: Rack
CVE-2025-27610Same vendor: Rack
CVE-2026-34827Same vendor: Rack
CVE-2026-34826Same vendor: Rack
CVE-2025-27111Same vendor: Rack
CVE-2026-34230Same vendor: Rack
CVE-2025-70841Shared CWE-287

Affected Assets

rack
rack-session
2.0.0 — 2.1.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely flaw remediation through upgrading Rack::Session to version 2.1.2 directly eliminates the vulnerability allowing forged session cookies.

prevent

Session authenticity mechanisms ensure communications sessions, including cookie-based web sessions, cannot be forged or manipulated without proper validation.

prevent

Information input validation of session cookies prevents the server from accepting and deserializing tampered or invalid session data.

References