Description
Rack::Session is a session management implementation for Rack. From 2.0.0 to before 2.1.2, Rack::Session::Cookie incorrectly handles decryption failures when configured with secrets:. If cookie decryption fails, the implementation falls back to a default decoder instead of rejecting the cookie. This allows an unauthenticated attacker to supply a crafted session cookie that is accepted as valid session data without knowledge of any configured secret. Because this mechanism is used to load session state, an attacker can manipulate session contents and potentially gain unauthorized access. This vulnerability is fixed in 2.1.2.
Published: 2026-04-07
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Session forgery leading to unauthorized access
Action: Immediate Patch
AI Analysis

Impact

Rack::Session::Cookie incorrectly handles decryption failures when secrets are configured. When a cookie cannot be decrypted, the library falls back to a default decoder instead of rejecting it. This flaw lets an unauthenticated attacker craft a session cookie that is accepted as valid without knowing any configured secret. The attacker can then manipulate the session payload, potentially gaining unauthorized access to the application. Because the session payload is deserialized using Marshal, this vulnerability may also allow remote code execution if the application uses unsafe deserialization. The weakness corresponds to authentication bypass and deserialization flaws.

Affected Systems

The issue affects Rack's session management component rack-session, versions from 2.0.0 up to, but not including, 2.1.2. Applications built with these Ruby libraries are vulnerable if they rely on cookie‑based sessions and have any configured secrets. The vulnerability is present in any deployment that does not upgrade past 2.1.2.

Risk and Exploitability

The CVSS base score is 9.3, indicating a critical severity. No EPSS score is reported, and the defect is not yet in CISA’s KEV catalog, but the lack of a secret requirement for exploitation makes the threat broad. An attacker only needs to send a malicious cookie to the target endpoint; no authentication or additional privileges are required. If exploited, the impact can range from unauthorized data access to possible code execution depending on how the application deserializes the session data.

Generated by OpenCVE AI on April 7, 2026 at 21:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade rack-session to version 2.1.2 or later
  • Verify that any configured secrets are enabled and correct
  • If immediate upgrade is not possible, validate session cookies and reject malformed or unauthorized ones
  • Review application code for unsafe Marshal deserialization; replace with safe alternatives

Generated by OpenCVE AI on April 7, 2026 at 21:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-33qg-7wpp-89cq Rack::Session::Cookie secrets: decrypt failure fallback enables secretless session forgery and Marshal deserialization
Ubuntu USN Ubuntu USN USN-8190-2 Rack::Session vulnerability
History

Wed, 15 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:rack:rack-session:*:*:*:*:*:ruby:*:*
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Rack
Rack rack-session
Vendors & Products Rack
Rack rack-session

Tue, 07 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Description Rack::Session is a session management implementation for Rack. From 2.0.0 to before 2.1.2, Rack::Session::Cookie incorrectly handles decryption failures when configured with secrets:. If cookie decryption fails, the implementation falls back to a default decoder instead of rejecting the cookie. This allows an unauthenticated attacker to supply a crafted session cookie that is accepted as valid session data without knowledge of any configured secret. Because this mechanism is used to load session state, an attacker can manipulate session contents and potentially gain unauthorized access. This vulnerability is fixed in 2.1.2.
Title Rack::Session::Cookie secrets: decrypt failure fallback enables secretless session forgery and Marshal deserialization
Weaknesses CWE-287
CWE-345
CWE-502
CWE-565
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Rack Rack-session
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-08T18:44:07.145Z

Reserved: 2026-04-06T19:31:07.266Z

Link: CVE-2026-39324

cve-icon Vulnrichment

Updated: 2026-04-08T18:44:00.411Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-07T18:16:43.387

Modified: 2026-04-15T20:17:18.877

Link: CVE-2026-39324

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:46:43Z

Weaknesses