{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24894", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-27T19:35:20.529Z", "datePublished": "2026-02-12T19:12:04.387Z", "dateUpdated": "2026-02-12T20:04:57.869Z"}, "containers": {"cna": {"title": "FrankenPHP leaks session data between requests in worker mode", "problemTypes": [{"descriptions": [{"cweId": "CWE-269", "lang": "en", "description": "CWE-269: Improper Privilege Management", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-384", "lang": "en", "description": "CWE-384: Session Fixation", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-613", "lang": "en", "description": "CWE-613: Insufficient Session Expiration", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/php/frankenphp/security/advisories/GHSA-r3xh-3r3w-47gp", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/php/frankenphp/security/advisories/GHSA-r3xh-3r3w-47gp"}, {"name": "https://github.com/php/frankenphp/commit/24d6c991a7761b638190eb081deae258143e9735", "tags": ["x_refsource_MISC"], "url": "https://github.com/php/frankenphp/commit/24d6c991a7761b638190eb081deae258143e9735"}, {"name": "https://github.com/php/frankenphp/releases/tag/v1.11.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/php/frankenphp/releases/tag/v1.11.2"}], "affected": [{"vendor": "php", "product": "frankenphp", "versions": [{"version": "< 1.11.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-12T19:12:04.387Z"}, "descriptions": [{"lang": "en", "value": "FrankenPHP is a modern application server for PHP. Prior to 1.11.2, when running FrankenPHP in worker mode, the $_SESSION superglobal is not correctly reset between requests. This allows a subsequent request processed by the same worker to access the $_SESSION data of the previous request (potentially belonging to a different user) before session_start() is called. This vulnerability is fixed in 1.11.2."}], "source": {"advisory": "GHSA-r3xh-3r3w-47gp", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-12T20:04:24.224705Z", "id": "CVE-2026-24894", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-12T20:04:57.869Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24894", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-12T20:04:24.224705Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-12T20:04:54.426Z"}}], "cna": {"title": "FrankenPHP leaks session data between requests in worker mode", "source": {"advisory": "GHSA-r3xh-3r3w-47gp", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "php", "product": "frankenphp", "versions": [{"status": "affected", "version": "< 1.11.2"}]}], "references": [{"url": "https://github.com/php/frankenphp/security/advisories/GHSA-r3xh-3r3w-47gp", "name": "https://github.com/php/frankenphp/security/advisories/GHSA-r3xh-3r3w-47gp", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/php/frankenphp/commit/24d6c991a7761b638190eb081deae258143e9735", "name": "https://github.com/php/frankenphp/commit/24d6c991a7761b638190eb081deae258143e9735", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/php/frankenphp/releases/tag/v1.11.2", "name": "https://github.com/php/frankenphp/releases/tag/v1.11.2", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "FrankenPHP is a modern application server for PHP. Prior to 1.11.2, when running FrankenPHP in worker mode, the $_SESSION superglobal is not correctly reset between requests. This allows a subsequent request processed by the same worker to access the $_SESSION data of the previous request (potentially belonging to a different user) before session_start() is called. This vulnerability is fixed in 1.11.2."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-269", "description": "CWE-269: Improper Privilege Management"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-384", "description": "CWE-384: Session Fixation"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-613", "description": "CWE-613: Insufficient Session Expiration"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-12T19:12:04.387Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24894", "state": "PUBLISHED", "dateUpdated": "2026-02-12T20:04:57.869Z", "dateReserved": "2026-01-27T19:35:20.529Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-12T19:12:04.387Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:php:frankenphp:*:*:*:*:*:*:*:*", "matchCriteriaId": "E2C3D161-7DC3-4241-9EBA-481806A802B5", "versionEndExcluding": "1.11.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "FrankenPHP is a modern application server for PHP. Prior to 1.11.2, when running FrankenPHP in worker mode, the $_SESSION superglobal is not correctly reset between requests. This allows a subsequent request processed by the same worker to access the $_SESSION data of the previous request (potentially belonging to a different user) before session_start() is called. This vulnerability is fixed in 1.11.2."}, {"lang": "es", "value": "FrankenPHP es un moderno servidor de aplicaciones para PHP. Antes de la versi\u00f3n 1.11.2, al ejecutar FrankenPHP en modo worker, la superglobal $_SESSION no se restablece correctamente entre solicitudes. Esto permite que una solicitud subsiguiente procesada por el mismo worker acceda a los datos de $_SESSION de la solicitud anterior (potencialmente perteneciente a un usuario diferente) antes de que se llame a session_start(). Esta vulnerabilidad se corrige en la versi\u00f3n 1.11.2."}], "id": "CVE-2026-24894", "lastModified": "2026-02-20T18:31:06.207", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-12T20:16:10.020", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/php/frankenphp/commit/24d6c991a7761b638190eb081deae258143e9735"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/php/frankenphp/releases/tag/v1.11.2"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/php/frankenphp/security/advisories/GHSA-r3xh-3r3w-47gp"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-269"}, {"lang": "en", "value": "CWE-384"}, {"lang": "en", "value": "CWE-613"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.11.2)"}}], "product": "frankenphp", "vendor": "php"}], "analysis": {"en": {"generated_at": "2026-04-18T18:08:17.969797+00:00", "value": {"mitigation_remediation": ["Upgrade FrankenPHP to version 1.11.2 or later, which applies the session reset fix.", "If upgrading immediately is not possible, reconfigure the server to use single\u2011request workers or recycle workers between user sessions so that a worker never serves two different users consecutively.", "Review and minimize sensitive data stored in $_SESSION, enforce short session timeouts, and apply additional access controls to reduce the impact window if a session leak occurs."], "summary": {"action": "Patch Now", "impact": "Session Data Leakage"}, "threat_synthesis": {"affected_systems": "All deployments of php:frankenphp using worker mode and running any version older than 1.11.2 are vulnerable. The issue is fixed in release 1.11.2 and later. Deployments that employ persistent worker processes are affected; single\u2011request workers are safe.", "description_and_impact": "FrankenPHP, a modern PHP application server, fails to reset the $_SESSION superglobal between consecutive HTTP requests when running in worker mode. Consequently, a request handled by the same worker can read session data written by a previous request before session_start() clears it, resulting in accidental disclosure of another user\u2019s session contents. This flaw reflects improper session handling and can lead to unauthorized access to sensitive data. Based on the description, it is inferred that an attacker who can arrange for two users\u2019 requests to be serviced by the same worker in sequence could read the prior user\u2019s session data.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 8.7, indicating high severity for confidentiality loss. Its EPSS score is below 1\u202f%, meaning exploitation is currently rare, and it is not listed in the CISA KEV catalog. The risk materializes when a worker can handle requests for two distinct users in succession, allowing an attacker to read another user\u2019s session data before it is cleared. While the flaw does not permit arbitrary code execution, it can expose credentials and other sensitive information, potentially enabling privilege escalation or data breaches."}}}}, "created": "2026-02-13T21:29:33.627054+00:00", "updated": "2026-04-18T18:15:06.601015+00:00", "vendors": ["php", "php$PRODUCT$frankenphp"]}