-
-
Notifications
You must be signed in to change notification settings - Fork 231
Expand file tree
/
Copy pathCVE-2026-39324.yml
More file actions
75 lines (62 loc) · 3.02 KB
/
CVE-2026-39324.yml
File metadata and controls
75 lines (62 loc) · 3.02 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
---
gem: rack-session
cve: 2026-39324
ghsa: 33qg-7wpp-89cq
url: https://github.com/rack/rack-session/security/advisories/GHSA-33qg-7wpp-89cq
title: 'Rack::Session::Cookie secrets: decrypt failure fallback
enables secretless session forgery and Marshal deserialization'
date: 2026-04-08
description: |
'Rack::Session::Cookie incorrectly handles decryption failures when
configured with `secrets:`. If cookie decryption fails, the
implementation falls back to a default decoder instead of rejecting
the cookie. This allows an unauthenticated attacker to supply a
crafted session cookie that is accepted as valid session data
without knowledge of any configured secret.
Because this mechanism is used to load session state, an attacker
can manipulate session contents and potentially gain unauthorized access.
## Details
When `secrets:` is configured, `Rack::Session::Cookie` attempts to
decrypt incoming session cookies using one of the configured encryptors.
If all decrypt attempts fail, the implementation does not reject
the cookie. Instead, it falls back to decoding the cookie using
a default coder.
This fallback path processes attacker-controlled cookie data as
trusted session state. The behavior is implicit and occurs even
when encrypted cookies are expected.
The fallback decoder is applied automatically and does not require
the application to opt into a non-encrypted session format. As a
result, a client can send a specially crafted cookie value that
bypasses the intended integrity protections provided by `secrets:`.
This issue affects both default configurations and those using
alternative serializers for encrypted payloads.
## Impact
Any Rack application using `Rack::Session::Cookie` with
`secrets:` may be affected.
> [!NOTE]
> Rails applications are typically not affected — Rails uses
> `ActionDispatch::Session::CookieStore`, which is a separate
> implementation backed by `ActiveSupport::MessageEncryptor`
> and does not share the vulnerable code path.
An unauthenticated attacker can supply a crafted session cookie
that is accepted as valid session data. This can lead to authentication
bypass or privilege escalation in applications that rely on session
values for identity or authorization decisions.
Depending on application behavior and available runtime components,
processing of untrusted session data may also expose additional risks.
## Mitigation
* Update to a patched version of `rack-session` that rejects cookies
when decryption fails under the `secrets:` configuration.
* After updating, rotate session secrets to invalidate existing
session cookies, since attacker-supplied session data may have
been accepted and re-issued prior to the fix.'
cvss_v4: 9.3
unaffected_versions:
- "< 2.0.0"
patched_versions:
- ">= 2.1.2"
related:
url:
- https://nvd.nist.gov/vuln/detail/CVE-2026-39324
- https://github.com/rack/rack-session/security/advisories/GHSA-33qg-7wpp-89cq
- https://github.com/advisories/GHSA-33qg-7wpp-89cq