Privilege escalation in Php Frankenphp

CVE-2026-24894

FrankenPHP is a modern application server for PHP. Prior to 1.11.2, when running FrankenPHP in worker mode, the $_SESSION superglobal is not correctly reset between requests. This allows a subsequent request processed by the same worker to…

Vulnerability class: Privilege Escalation

EPSS: 0.001 (19.1th percentile) — read the EPSS interpretation.

Affected products

Php Frankenphp — versions < 1.11.2

Weakness classification (CWE)

References

https://github.com/php/frankenphp/security/advisories/GHSA-r3xh-3r3w-47gp (x_refsource_CONFIRM)
https://github.com/php/frankenphp/commit/24d6c991a7761b638190eb081deae258143e9735 (x_refsource_MISC)
https://github.com/php/frankenphp/releases/tag/v1.11.2 (x_refsource_MISC)