CVE-2026-39324

UNKNOWN 0.0

Rack::Session::Cookie secrets: decrypt failure fallback enables secretless session forgery and Marshal deserialization

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

8th

Rack::Session is a session management implementation for Rack. From 2.0.0 to before 2.1.2, Rack::Session::Cookie incorrectly handles decryption failures when configured with secrets:. If cookie decryption fails, the implementation falls back to a default decoder instead of rejecting the cookie. This allows an unauthenticated attacker to supply a crafted session cookie that is accepted as valid session data without knowledge of any configured secret. Because this mechanism is used to load session state, an attacker can manipulate session contents and potentially gain unauthorized access. This vulnerability is fixed in 2.1.2.

CWE	CWE-287 CWE-345 CWE-502 CWE-565
Vendor	rack
Product	rack-session
Published	Apr 7, 2026
Last Updated	Apr 8, 2026

Stay Ahead of the Next One

Get instant alerts for rack rack-session

Be the first to know when new unknown vulnerabilities affecting rack rack-session are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

rack / rack-session

>= 2.0.0, < 2.1.2

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/rack/rack-session/security/advisories/GHSA-33qg-7wpp-89cq