CVE-2026-39324

Rack::Session, a session management implementation for the Rack web server interface used in Ruby applications, contains a vulnerability (CVE-2026-39324) affecting versions from 2.0.0 up to but not including 2.1.2. The flaw occurs in Rack::Session::Cookie when configured with secrets, where decryption failures are mishandled. Instead of rejecting invalid cookies, the code falls back to a default decoder, enabling acceptance of tampered session data without requiring knowledge of the configured secret.

An unauthenticated attacker with network access can exploit this remotely with low complexity and no privileges (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, score 9.8). By supplying a crafted session cookie, the attacker can forge valid session state, manipulate session contents, and potentially achieve unauthorized access to the application, such as impersonating users or escalating privileges depending on the session's role in the app.

The GitHub security advisory (GHSA-33qg-7wpp-89cq) confirms the issue and states it is fixed in Rack::Session version 2.1.2, recommending immediate upgrades for affected installations. Associated CWEs include CWE-287 (Improper Authentication), CWE-345 (Insufficient Verification of Data Authenticity), CWE-502 (Deserialization of Untrusted Data), and CWE-565 (Reliance on Cookies without Validation and Integrity Checking).