Session Management Vulnerability in Rack's Cookie Implementation
CVE-2026-39324

9.3CRITICAL

Key Information:

Vendor: Rack
Status: Rack-session
Vendor: CVE Published:; 7 April 2026

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2026-39324?

An issue has been identified in Rack::Session's cookie implementation, where decryption failures in session management are not adequately handled. When configured with secrets, if cookie decryption fails, an incorrect fallback to a default decoder occurs instead of rejecting the cookie. This flaw permits an unauthenticated attacker to submit a specially crafted session cookie that is mistakenly accepted as valid session data, circumventing the need for knowledge of any configured secret. This vulnerability can lead to unauthorized access by allowing manipulation of session content.

Affected Version(s)

rack-session >= 2.0.0, < 2.1.2

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-39324
Created by sm1ee

References

https://github.com/rack/rack-session/security/advisories/...

x_refsource_CONFIRM

CVSS V4

Score:

9.3

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Apr 7, 2026
👾
Exploit known to exist
Apr 7, 2026
Vulnerability published
Apr 7, 2026
Vulnerability Reserved
Apr 6, 2026

CVE-2026-39324 Data

JSON