Home / mailings [USN-8190-1] Rack::Session vulnerability
Posted on 23 April 2026
Ubuntu Security==========================================================================Ubuntu Security Notice USN-8190-1
April 20, 2026
ruby-rack-session vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 25.10
Summary:
Rack::Session could allow unintended access to network services.
Software Description:
- ruby-rack-session: Session management implementation for Rack
Details:
SeungMyung Lee discovered that Rack::Session did not properly reject
cookies upon decryption failure. A remote attacker could use this issue to
manipulate session contents and possibly gain unauthorized access.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 25.10
ruby-rack-session 2.1.1-0.1ubuntu0.1
After a standard system update you need to restart ruby-rack-session to
make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-8190-1
CVE-2026-39324
Package Information:
https://launchpad.net/ubuntu/+source/ruby-rack-session/2.1.1-0.1ubuntu0.1
--===============3663485828176854903==Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
