CVE-2026-39324
Session Cookie Decryption Bypass in Rack::Session::Cookie
Publication date: 2026-04-07
Last updated on: 2026-04-15
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| rack | rack-session | From 2.0.0 (inc) to 2.1.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-287 | When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. |
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
| CWE-565 | The product relies on the existence or values of cookies when performing security-critical operations, but it does not properly ensure that the setting is valid for the associated user. |
| CWE-345 | The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an unauthenticated attacker to manipulate session contents and potentially gain unauthorized access by bypassing authentication and integrity protections. Such unauthorized access and manipulation of session data can lead to breaches of confidentiality and integrity of sensitive information.
Because regulations like GDPR and HIPAA require strict controls to protect personal and sensitive data, including ensuring data confidentiality, integrity, and access control, this vulnerability could cause non-compliance with these standards if exploited.
Specifically, the vulnerability's impact on authentication and session integrity (CWE-287, CWE-345) and the potential for unauthorized access could violate requirements for protecting personal data and ensuring secure access controls mandated by such regulations.
Mitigation by upgrading to a fixed version and rotating session secrets is necessary to restore compliance and reduce risk.
Can you explain this vulnerability to me?
CVE-2026-39324 is a critical vulnerability in the RubyGems package `rack-session` versions 2.0.0 to before 2.1.2, specifically in the `Rack::Session::Cookie` component. When configured with the `secrets:` option, the component tries to decrypt incoming session cookies using configured encryptors. If decryption fails, instead of rejecting the cookie, it falls back to a default decoder that accepts unencrypted cookie data as valid session state.
This fallback allows an unauthenticated attacker to supply a specially crafted session cookie that bypasses the intended security protections, enabling manipulation of session contents without knowing any secret keys.
Because session data is used for identity and authorization decisions, this flaw can lead to unauthorized access, authentication bypass, or privilege escalation in affected applications.
The vulnerability is fixed in version 2.1.2, which rejects cookies upon decryption failure when `secrets:` is configured.
How can this vulnerability impact me? :
This vulnerability can have severe impacts because it allows an attacker to remotely exploit the system without any privileges or user interaction.
- Authentication bypass: Attackers can gain access without valid credentials.
- Privilege escalation: Attackers can manipulate session data to gain higher privileges.
- Unauthorized access: Attackers can access sensitive information or functionality by tampering with session state.
Overall, the vulnerability compromises confidentiality, integrity, and availability of the affected system's session management.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability arises from the Rack::Session::Cookie component in rack-session versions >= 2.0 and < 2.1.2 when configured with the secrets: option. Detection involves identifying if your system is running a vulnerable version of rack-session and if the application uses Rack::Session::Cookie with secrets configured.
Since the vulnerability involves accepting crafted session cookies that bypass decryption, one detection approach is to monitor HTTP traffic for suspicious or malformed session cookies that are accepted without proper validation.
There are no specific commands provided in the resources to detect this vulnerability directly. However, you can check the installed rack-session version with commands like:
- gem list rack-session
- grep -r 'Rack::Session::Cookie' /path/to/your/app
Additionally, inspecting application logs for unusual session activity or authentication bypass attempts may help identify exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade the rack-session package to version 2.1.2 or later, where the vulnerability is fixed by rejecting cookies upon decryption failure when secrets: is configured.
After upgrading, it is recommended to rotate session secrets to invalidate any potentially compromised session cookies that may have been accepted and re-issued before the fix.
These steps will prevent attackers from supplying crafted session cookies that bypass authentication and session integrity checks.