What is CVE-2026-39324?

CVE-2026-39324 is a vulnerability in Rack Rack-session, classified under Improper Authentication. Published 2026-04-07.

Is CVE-2026-39324 known to be exploited?

1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Auth bypass in Rack Rack-session

CVE-2026-39324

Rack::Session is a session management implementation for Rack. From 2.0.0 to before 2.1.2, Rack::Session::Cookie incorrectly handles decryption failures when configured with secrets:. If cookie decryption fails, the implementation falls ba…

Vulnerability class: Broken Authentication

EPSS: 0.001 (20.0th percentile) — read the EPSS interpretation.

Affected products

Rack Rack-session — versions >= 2.0.0, < 2.1.2

Weakness classification (CWE)

CWE-287 — Improper Authentication
CWE-345 — Insufficient Verification of Data Authenticity
CWE-502 — Deserialization of Untrusted Data
CWE-565 — Reliance on Cookies without Validation and Integrity Checking

Public proof-of-concept exploits

sm1ee/CVE-2026-39324

References

https://github.com/rack/rack-session/security/advisories/GHSA-33qg-7wpp-89cq (x_refsource_CONFIRM)

Frequently asked questions

What is CVE-2026-39324?: CVE-2026-39324 is a vulnerability in Rack Rack-session, classified under Improper Authentication. Published 2026-04-07.
Is CVE-2026-39324 known to be exploited?: 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.