Skip to main content

Suse CVE-2026-39324

| EUVDEUVD-2026-19820 CRITICAL
Improper Authentication (CWE-287)
2026-04-07 security-advisories@github.com GHSA-33qg-7wpp-89cq
9.3
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
Re-analysis Queued
Apr 15, 2026 - 20:22 vuln.today
cvss_changed
Patch released
Apr 08, 2026 - 02:30 nvd
Patch available
EUVD ID Assigned
Apr 07, 2026 - 18:22 euvd
EUVD-2026-19820
Analysis Generated
Apr 07, 2026 - 18:22 vuln.today
CVE Published
Apr 07, 2026 - 18:16 nvd
CRITICAL 9.3

DescriptionGitHub Advisory

Rack::Session is a session management implementation for Rack. From 2.0.0 to before 2.1.2, Rack::Session::Cookie incorrectly handles decryption failures when configured with secrets:. If cookie decryption fails, the implementation falls back to a default decoder instead of rejecting the cookie. This allows an unauthenticated attacker to supply a crafted session cookie that is accepted as valid session data without knowledge of any configured secret. Because this mechanism is used to load session state, an attacker can manipulate session contents and potentially gain unauthorized access. This vulnerability is fixed in 2.1.2.

AnalysisAI

Session authentication bypass in Rack::Session::Cookie 2.0.0 through 2.1.1 allows unauthenticated remote attackers to forge valid session cookies and gain unauthorized access. When configured with secrets, the implementation incorrectly falls back to a default decoder on decryption failures rather than rejecting malformed cookies, enabling attackers to manipulate session state without any secret knowledge. CVSS 9.3 (Critical) with network attack vector, low complexity, and no privileges required. No public exploit or active exploitation (CISA KEV) identified at time of analysis, though the simplicity of the attack vector (AC:L, PR:N) suggests exploitation is straightforward once the vulnerability is understood.

Technical ContextAI

Rack::Session::Cookie is a cookie-based session storage implementation in the Rack web server interface framework used by Ruby applications including Rails and Sinatra. This vulnerability stems from improper authentication (CWE-287) in the cookie decryption logic. When the session middleware is configured with encryption secrets, legitimate session cookies should be encrypted and authenticated. The flawed implementation in versions 2.0.0-2.1.1 includes a fallback mechanism that activates when encrypted cookie decryption fails-instead of rejecting the invalid cookie, it attempts to decode it using an unauthenticated default decoder. This fallback path bypasses the cryptographic protection entirely, treating attacker-controlled data as valid session state. The vulnerability affects any Ruby web application using Rack::Session::Cookie with secrets: configuration for encrypted session storage.

RemediationAI

Vendor-released patch: Upgrade rack-session to version 2.1.2 or later, which removes the insecure fallback decoder and properly rejects session cookies that fail decryption validation. The fix is available immediately and should be prioritized for all production deployments. Update the rack-session gem dependency in your Gemfile or gemspec to ~> 2.1.2 or >= 2.1.2, then run bundle update rack-session. After upgrading, verify the new version is installed with bundle list | grep rack-session. No configuration changes are required beyond the version upgrade. For applications unable to upgrade immediately, consider temporary mitigation by rotating session secrets and implementing additional request validation, though these workarounds do not fully address the vulnerability. Detailed information is available in the GitHub Security Advisory at https://github.com/rack/rack-session/security/advisories/GHSA-33qg-7wpp-89cq. Review application logs for suspicious session activity following remediation.

Vendor StatusVendor

SUSE

Severity: Critical
Product Status
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 16.1 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Public Cloud 15 SP7 Fixed

Share

CVE-2026-39324 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy