CVE-2024-26144

MEDIUM

Rails 5.2.0-6.1.7.6 - Sensitive Session Information Leak via Active Storage Blob Set-Cookie Header

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2024-26144. PoCs published by gmo-ierae, usutani.

AI-analyzed exploit summary This repository contains a proof-of-concept for CVE-2024-26144, which tests for cache poisoning vulnerabilities in various web servers and CDNs. The PoC uses a Deno script to check if cached responses incorrectly include Set-Cookie headers, potentially leaking sensitive session data.

Description

Rails is a web-application framework. Starting with version 5.2.0, there is a possible sensitive session information leak in Active Storage. By default, Active Storage sends a Set-Cookie header along with the user's session cookie when serving blobs. It also sets Cache-Control to public. Certain proxies may cache the Set-Cookie, leading to an information leak. The vulnerability is fixed in 7.0.8.1 and 6.1.7.7.

Exploits (2)

nomisec WORKING POC
by gmo-ierae · poc
https://github.com/gmo-ierae/CVE-2024-26144-test

This repository contains a proof-of-concept for CVE-2024-26144, which tests for cache poisoning vulnerabilities in various web servers and CDNs. The PoC uses a Deno script to check if cached responses incorrectly include Set-Cookie headers, potentially leaking sensitive session data.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Various web servers (Nginx, Apache, HAProxy) and CDNs (Cloudflare, CloudFront, Fastly)
No auth needed
Prerequisites: Docker compose · Deno · Access to target web server or CDN
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec STUB
by usutani · poc
https://github.com/usutani/study-turbolinks-link

This repository appears to be a stub or study project for Turbolinks, lacking exploit code or PoC for CVE-2024-26144. It contains a basic Rails application structure with Turbolinks integration but no offensive techniques.

Classification
Stub 90%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: Turbolinks (version unspecified)
No auth needed
Prerequisites: None identified
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (6)

Core 6

Scores

CVSS v3 5.3
EPSS 0.0236
EPSS Percentile 85.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

CWE
CWE-200
Status published
Products (2)
rubygems/activestorage 5.2.0 - 6.1.7.7RubyGems
rubyonrails/rails 5.2.0 - 6.1.7.7
Published Feb 27, 2024
Tracked Since Feb 18, 2026