{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39324", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-06T19:31:07.266Z", "datePublished": "2026-04-07T18:13:28.639Z", "dateUpdated": "2026-04-08T18:44:07.145Z"}, "containers": {"cna": {"title": "Rack::Session::Cookie secrets: decrypt failure fallback enables secretless session forgery and Marshal deserialization", "problemTypes": [{"descriptions": [{"cweId": "CWE-287", "lang": "en", "description": "CWE-287: Improper Authentication", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-345", "lang": "en", "description": "CWE-345: Insufficient Verification of Data Authenticity", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-502", "lang": "en", "description": "CWE-502: Deserialization of Untrusted Data", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-565", "lang": "en", "description": "CWE-565: Reliance on Cookies without Validation and Integrity Checking", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 9.3, "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/rack/rack-session/security/advisories/GHSA-33qg-7wpp-89cq", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/rack/rack-session/security/advisories/GHSA-33qg-7wpp-89cq"}], "affected": [{"vendor": "rack", "product": "rack-session", "versions": [{"version": ">= 2.0.0, < 2.1.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T18:13:28.639Z"}, "descriptions": [{"lang": "en", "value": "Rack::Session is a session management implementation for Rack. From 2.0.0 to before 2.1.2, Rack::Session::Cookie incorrectly handles decryption failures when configured with secrets:. If cookie decryption fails, the implementation falls back to a default decoder instead of rejecting the cookie. This allows an unauthenticated attacker to supply a crafted session cookie that is accepted as valid session data without knowledge of any configured secret. Because this mechanism is used to load session state, an attacker can manipulate session contents and potentially gain unauthorized access. This vulnerability is fixed in 2.1.2."}], "source": {"advisory": "GHSA-33qg-7wpp-89cq", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T18:43:55.838650Z", "id": "CVE-2026-39324", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T18:44:07.145Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-39324", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-08T18:43:55.838650Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T18:44:00.411Z"}}], "cna": {"title": "Rack::Session::Cookie secrets: decrypt failure fallback enables secretless session forgery and Marshal deserialization", "source": {"advisory": "GHSA-33qg-7wpp-89cq", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 9.3, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "rack", "product": "rack-session", "versions": [{"status": "affected", "version": ">= 2.0.0, < 2.1.2"}]}], "references": [{"url": "https://github.com/rack/rack-session/security/advisories/GHSA-33qg-7wpp-89cq", "name": "https://github.com/rack/rack-session/security/advisories/GHSA-33qg-7wpp-89cq", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Rack::Session is a session management implementation for Rack. From 2.0.0 to before 2.1.2, Rack::Session::Cookie incorrectly handles decryption failures when configured with secrets:. If cookie decryption fails, the implementation falls back to a default decoder instead of rejecting the cookie. This allows an unauthenticated attacker to supply a crafted session cookie that is accepted as valid session data without knowledge of any configured secret. Because this mechanism is used to load session state, an attacker can manipulate session contents and potentially gain unauthorized access. This vulnerability is fixed in 2.1.2."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-287", "description": "CWE-287: Improper Authentication"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-345", "description": "CWE-345: Insufficient Verification of Data Authenticity"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "CWE-502: Deserialization of Untrusted Data"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-565", "description": "CWE-565: Reliance on Cookies without Validation and Integrity Checking"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T18:13:28.639Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39324", "state": "PUBLISHED", "dateUpdated": "2026-04-08T18:44:07.145Z", "dateReserved": "2026-04-06T19:31:07.266Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-07T18:13:28.639Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:rack:rack-session:*:*:*:*:*:ruby:*:*", "matchCriteriaId": "5A881339-CF57-45B4-B1E3-88E26A3C26A8", "versionEndExcluding": "2.1.2", "versionStartIncluding": "2.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Rack::Session is a session management implementation for Rack. From 2.0.0 to before 2.1.2, Rack::Session::Cookie incorrectly handles decryption failures when configured with secrets:. If cookie decryption fails, the implementation falls back to a default decoder instead of rejecting the cookie. This allows an unauthenticated attacker to supply a crafted session cookie that is accepted as valid session data without knowledge of any configured secret. Because this mechanism is used to load session state, an attacker can manipulate session contents and potentially gain unauthorized access. This vulnerability is fixed in 2.1.2."}], "id": "CVE-2026-39324", "lastModified": "2026-04-15T20:17:18.877", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-07T18:16:43.387", "references": [{"source": "security-advisories@github.com", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://github.com/rack/rack-session/security/advisories/GHSA-33qg-7wpp-89cq"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}, {"lang": "en", "value": "CWE-345"}, {"lang": "en", "value": "CWE-502"}, {"lang": "en", "value": "CWE-565"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.0.0,2.1.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "rack-session", "source": "cna", "vendor": "rack"}, "product": "rack-session", "vendor": "rack"}], "analysis": {"en": {"generated_at": "2026-04-07T21:54:32.504132+00:00", "value": {"mitigation_remediation": ["Upgrade rack-session to version 2.1.2 or later", "Verify that any configured secrets are enabled and correct", "If immediate upgrade is not possible, validate session cookies and reject malformed or unauthorized ones", "Review application code for unsafe Marshal deserialization; replace with safe alternatives"], "summary": {"action": "Immediate Patch", "impact": "Session forgery leading to unauthorized access"}, "threat_synthesis": {"affected_systems": "The issue affects Rack's session management component rack-session, versions from 2.0.0 up to, but not including, 2.1.2. Applications built with these Ruby libraries are vulnerable if they rely on cookie\u2011based sessions and have any configured secrets. The vulnerability is present in any deployment that does not upgrade past 2.1.2.", "description_and_impact": "Rack::Session::Cookie incorrectly handles decryption failures when secrets are configured. When a cookie cannot be decrypted, the library falls back to a default decoder instead of rejecting it. This flaw lets an unauthenticated attacker craft a session cookie that is accepted as valid without knowing any configured secret. The attacker can then manipulate the session payload, potentially gaining unauthorized access to the application. Because the session payload is deserialized using Marshal, this vulnerability may also allow remote code execution if the application uses unsafe deserialization. The weakness corresponds to authentication bypass and deserialization flaws.", "risk_and_exploitability": "The CVSS base score is 9.3, indicating a critical severity. No EPSS score is reported, and the defect is not yet in CISA\u2019s KEV catalog, but the lack of a secret requirement for exploitation makes the threat broad. An attacker only needs to send a malicious cookie to the target endpoint; no authentication or additional privileges are required. If exploited, the impact can range from unauthorized data access to possible code execution depending on how the application deserializes the session data."}}}}, "created": "2026-04-08T19:35:03.518284+00:00", "updated": "2026-04-08T19:46:43.152665+00:00", "vendors": ["rack", "rack$PRODUCT$rack-session"]}