A critical vulnerability (CVE-2026-39324, CVSS 9.8) in Rack::Session allows remote attackers to manipulate session contents and gain unauthorized access by exploiting improper cookie rejection upon decryption failure. The vulnerability affects rack-session versions 2.0.0 through 2.1.1, and it is fixed in version 2.1.2. After applying the update, a restart of the ruby-rack-session service is required.
Ubuntu Security Notices USN-8190-1 USN-8190-1: Rack::Session vulnerability Publication date 20 April 2026 Overview Rack::Session could allow unintended access to network services. Releases 25.10 Open side navigation Close side navigation Packages Details Update instructions References Packages ruby-rack-session - Session management implementation for Rack Details SeungMyung Lee discovered that Rack::Session did not properly reject cookies upon decryption failure. A remote attacker could use this issue to manipulate session contents and possibly gain unauthorized access. SeungMyung Lee discovered that Rack::Session did not properly reject cookies upon decryption failure. A remote attacker could use this issue to manipulate session contents and possibly gain unauthorized access. Update instructions After a standard system update you need to restart ruby-rack-session to make all the necessary changes. Learn more about how to get the fixes. The problem can be corrected by updating your system to the following package versions: Ubuntu Release Package Version 25.10 questing ruby-rack-session – 2.1.1-0.1ubuntu0.1 Reduce your security exposure Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines. Get Ubuntu Pro References CVE-2026-39324 CVE-2026-39324