Rack::Session::Cookie secrets: decrypt failure fallback enables secretless session forgery and Marshal deserialization — CVE-2026-39324
GitHub · GitHub · CVE-2026-39324
ID
CVE-2026-39324
CVE-2026-39324
Date
Updated
Activity
Source
GitHub
GitHub
Vendor
GitHub
GitHub
Threat
critical
critical
CVSS
9.1
9.1
EPSS
0.00064
0.00064
Summary
`Rack::Session::Cookie` incorrectly handles decryption failures when configured with `secrets:`. If cookie decryption fails, the implementation falls back to a default decoder instead of rejecting the cookie. This allows an unauthenticated attacker to supply a crafted session cookie that is accepted as valid session data without knowledge of any configured secret. Because this mechanism is used to load session…
Product
rubygems: rack-session
What to do
General, cautious steps (verify details in the official source):
- Prioritize patching or mitigation immediately (treat as actively risky).
- Identify affected product versions in your inventory and verify whether you are impacted.
- Apply vendor patches/updates or recommended mitigations as soon as available.
- Read the official advisory for exact affected versions and remediation steps.