Rack::Session::Cookie secrets: decrypt failure fallback enables secretless session forgery and...

9.3 / 10

CRITICAL

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Description

Rack::Session is a session management implementation for Rack. From 2.0.0 to before 2.1.2, Rack::Session::Cookie incorrectly handles decryption failures when configured with secrets:. If cookie decryption fails, the implementation falls back to a default decoder instead of rejecting the cookie. This allows an unauthenticated attacker to supply a crafted session cookie that is accepted as valid session data without knowledge of any configured secret. Because this mechanism is used to load session state, an attacker can manipulate session contents and potentially gain unauthorized access. This vulnerability is fixed in 2.1.2.

Basic Information

ID CVE-2026-39324

Source GitHub_M

Published Apr 7, 2026 at 18:13

Modified Apr 8, 2026 at 18:44

Affected Product

Vendor rack

Product rack-session

Version >= 2.0.0, < 2.1.2

Affected Versions rack rack-session >= 2.0.0, < 2.1.2

CWE Classification

CWE-287 CWE-345 CWE-502 CWE-565

References

github.com /rack/rack-session/security/advisories/GHSA-33qg-7wpp-89cq

{
    "lastseen": "",
    "description": "Rack::Session is a session management implementation for Rack. From 2.0.0 to before 2.1.2, Rack::Session::Cookie incorrectly handles decryption failures when configured with secrets:. If cookie decryption fails, the implementation falls back to a default decoder instead of rejecting the cookie. This allows an unauthenticated attacker to supply a crafted session cookie that is accepted as valid session data without knowledge of any configured secret. Because this mechanism is used to load session state, an attacker can manipulate session contents and potentially gain unauthorized access. This vulnerability is fixed in 2.1.2.",
    "published": "2026-04-07T18:13:28.639Z",
    "modified": "2026-04-08T18:44:07.145Z",
    "type": "cve",
    "title": "Rack::Session::Cookie secrets: decrypt failure fallback enables secretless session forgery and Marshal deserialization",
    "source": "GitHub_M",
    "references": "https://github.com/rack/rack-session/security/advisories/GHSA-33qg-7wpp-89cq",
    "id": "CVE-2026-39324",
    "bulletinFamily": "",
    "cwe": [
        "CWE-287",
        "CWE-345",
        "CWE-502",
        "CWE-565"
    ],
    "cvelist": null,
    "sourceData": "rack rack-session >= 2.0.0, < 2.1.2",
    "sourceHref": "",
    "cvss": {
        "score": 9.3,
        "severity": "CRITICAL",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "rack-session",
    "version": ">= 2.0.0, < 2.1.2",
    "vendor": "rack",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Rack::Session::Cookie secrets: decrypt failure fallback enables secretless session forgery and Marshal deserialization_CVE-2026-39324