CVE-2026-39324
Received Received - Intake
Session Cookie Decryption Bypass in Rack::Session::Cookie

Publication date: 2026-04-07

Last updated on: 2026-04-15

Assigner: GitHub, Inc.

Description
Rack::Session is a session management implementation for Rack. From 2.0.0 to before 2.1.2, Rack::Session::Cookie incorrectly handles decryption failures when configured with secrets:. If cookie decryption fails, the implementation falls back to a default decoder instead of rejecting the cookie. This allows an unauthenticated attacker to supply a crafted session cookie that is accepted as valid session data without knowledge of any configured secret. Because this mechanism is used to load session state, an attacker can manipulate session contents and potentially gain unauthorized access. This vulnerability is fixed in 2.1.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-07
Last Modified
2026-04-15
Generated
2026-06-16
AI Q&A
2026-04-07
EPSS Evaluated
2026-06-15
NVD
CVE-2026-39324
EUVD
EUVD-2026-19820
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
rack rack-session From 2.0.0 (inc) to 2.1.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-345 The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
CWE-565 The product relies on the existence or values of cookies when performing security-critical operations, but it does not properly ensure that the setting is valid for the associated user.
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability allows an unauthenticated attacker to manipulate session contents and potentially gain unauthorized access by bypassing authentication and integrity protections. Such unauthorized access and manipulation of session data can lead to breaches of confidentiality and integrity of sensitive information.

Because regulations like GDPR and HIPAA require strict controls to protect personal and sensitive data, including ensuring data confidentiality, integrity, and access control, this vulnerability could cause non-compliance with these standards if exploited.

Specifically, the vulnerability's impact on authentication and session integrity (CWE-287, CWE-345) and the potential for unauthorized access could violate requirements for protecting personal data and ensuring secure access controls mandated by such regulations.

Mitigation by upgrading to a fixed version and rotating session secrets is necessary to restore compliance and reduce risk.

Executive Summary

CVE-2026-39324 is a critical vulnerability in the RubyGems package `rack-session` versions 2.0.0 to before 2.1.2, specifically in the `Rack::Session::Cookie` component. When configured with the `secrets:` option, the component tries to decrypt incoming session cookies using configured encryptors. If decryption fails, instead of rejecting the cookie, it falls back to a default decoder that accepts unencrypted cookie data as valid session state.

This fallback allows an unauthenticated attacker to supply a specially crafted session cookie that bypasses the intended security protections, enabling manipulation of session contents without knowing any secret keys.

Because session data is used for identity and authorization decisions, this flaw can lead to unauthorized access, authentication bypass, or privilege escalation in affected applications.

The vulnerability is fixed in version 2.1.2, which rejects cookies upon decryption failure when `secrets:` is configured.

Impact Analysis

This vulnerability can have severe impacts because it allows an attacker to remotely exploit the system without any privileges or user interaction.

  • Authentication bypass: Attackers can gain access without valid credentials.
  • Privilege escalation: Attackers can manipulate session data to gain higher privileges.
  • Unauthorized access: Attackers can access sensitive information or functionality by tampering with session state.

Overall, the vulnerability compromises confidentiality, integrity, and availability of the affected system's session management.

Detection Guidance

This vulnerability arises from the Rack::Session::Cookie component in rack-session versions >= 2.0 and < 2.1.2 when configured with the secrets: option. Detection involves identifying if your system is running a vulnerable version of rack-session and if the application uses Rack::Session::Cookie with secrets configured.

Since the vulnerability involves accepting crafted session cookies that bypass decryption, one detection approach is to monitor HTTP traffic for suspicious or malformed session cookies that are accepted without proper validation.

There are no specific commands provided in the resources to detect this vulnerability directly. However, you can check the installed rack-session version with commands like:

  • gem list rack-session
  • grep -r 'Rack::Session::Cookie' /path/to/your/app

Additionally, inspecting application logs for unusual session activity or authentication bypass attempts may help identify exploitation attempts.

Mitigation Strategies

The primary mitigation step is to upgrade the rack-session package to version 2.1.2 or later, where the vulnerability is fixed by rejecting cookies upon decryption failure when secrets: is configured.

After upgrading, it is recommended to rotate session secrets to invalidate any potentially compromised session cookies that may have been accepted and re-issued before the fix.

These steps will prevent attackers from supplying crafted session cookies that bypass authentication and session integrity checks.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-39324. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart