CVE-2026-39324

CRITICAL

Rack::Session::Cookie secrets: decrypt failure fallback enables secretless session forgery and Marshal deserialization

Title source: cna
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2026-39324. PoCs published by adminlove520, sm1ee.

AI-analyzed exploit summary This repository contains a functional exploit PoC for CVE-2026-39324, demonstrating a session forgery vulnerability in Rack::Session::Cookie where unencrypted cookies are accepted despite the presence of secrets. The exploit includes a vulnerable server, verification script, and attack script to forge session cookies without knowing any secret.

Description

Rack::Session is a session management implementation for Rack. From 2.0.0 to before 2.1.2, Rack::Session::Cookie incorrectly handles decryption failures when configured with secrets:. If cookie decryption fails, the implementation falls back to a default decoder instead of rejecting the cookie. This allows an unauthenticated attacker to supply a crafted session cookie that is accepted as valid session data without knowledge of any configured secret. Because this mechanism is used to load session state, an attacker can manipulate session contents and potentially gain unauthorized access. This vulnerability is fixed in 2.1.2.

Exploits (2)

github WORKING POC 3 stars
by adminlove520 · pythonpoc
https://github.com/adminlove520/CVE-Poc_All_in_One/tree/main/2026/CVE-2026-39324

This repository contains a functional exploit PoC for CVE-2026-39324, demonstrating a session forgery vulnerability in Rack::Session::Cookie where unencrypted cookies are accepted despite the presence of secrets. The exploit includes a vulnerable server, verification script, and attack script to forge session cookies without knowing any secret.

Classification
Working Poc 100%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: rack-session (RubyGems) <= 2.1.1
No auth needed
Prerequisites: rack-session <= 2.1.1 · Rack::Session::Cookie with secrets: option · Attacker can send HTTP requests to the target
devstral-2 · analyzed May 03, 2026 Full analysis →
nomisec WORKING POC
by sm1ee · poc
https://github.com/sm1ee/CVE-2026-39324

This repository contains a functional exploit PoC for CVE-2026-39324, demonstrating a session forgery vulnerability in Rack::Session::Cookie where unencrypted cookies are accepted despite decryption failures. The exploit includes a vulnerable server setup, verification script, and attack script to forge session cookies without knowing any secret.

Classification
Working Poc 100%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: rack-session (RubyGems) <= 2.1.1
No auth needed
Prerequisites: rack-session <= 2.1.1 · Rack::Session::Cookie with secrets: option · ability to send HTTP requests to the target
devstral-2 · analyzed Apr 08, 2026 Full analysis →

References (1)

Core 1
Core References

Scores

CVSS v3 9.8
EPSS 0.0006
EPSS Percentile 20.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Details

CWE
CWE-287 CWE-345 CWE-502 CWE-565
Status published
Products (3)
rack/rack-session 2.0.0 - 2.1.2
rack/rack-session >= 2.0.0, < 2.1.2
rubygems/rack-session 2.0.0 - 2.1.2RubyGems
Published Apr 07, 2026
Tracked Since Apr 08, 2026