CVE-2026-39324 - Vulnerability Analysis
N/aLast Updated: April 7, 2026
Rack::Session - Broken Access Control
Published: April 7, 2026Updated: April 7, 2026PoC Available
Overview
Rack::Session 2.0.0 to before 2.1.2 contains a broken access control vulnerability caused by improper handling of cookie decryption failures in Rack::Session::Cookie, letting unauthenticated attackers manipulate session contents and gain unauthorized access, exploit requires crafted session cookie.
Severity & Score
Severity: N/a
Impact
Unauthenticated attackers can manipulate session data to gain unauthorized access to the application.
Mitigation
Upgrade to version 2.1.2 or later.
Related Resources
Details
- CVE ID
- CVE-2026-39324
- Severity
- N/a
- Type
- broken_access_control
- Status
- new
CWE
- CWE-287
CVSS Metrics
N/A