CVE-2026-24894Improper Privilege Management in Dunglas Frankenphp

CWE-269Improper Privilege ManagementCWE-384Session FixationCWE-613Insufficient Session Expiration5 documents4 sources
Severity
8.7HIGHNVD
EPSS
0.1%
top 81.99%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Github.com Dunglas FrankenphpPHP Frankenphp
Timeline
PublishedFeb 12
Latest updateFeb 17

Description

FrankenPHP is a modern application server for PHP. Prior to 1.11.2, when running FrankenPHP in worker mode, the $_SESSION superglobal is not correctly reset between requests. This allows a subsequent request processed by the same worker to access the $_SESSION data of the previous request (potentially belonging to a different user) before session_start() is called. This vulnerability is fixed in 1.11.2.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Affected Packages2 packages

NVDphp/frankenphp< 1.11.2

Patches

Patch: github.com

🔴Vulnerability Details

3
OSV
FrankenPHP leaks session data between requests in worker mode in github.com/dunglas/frankenphp2026-02-17
GHSA
FrankenPHP leaks session data between requests in worker mode2026-02-12
OSV
FrankenPHP leaks session data between requests in worker mode2026-02-12

🕵️Threat Intelligence

1
Wiz
CVE-2026-24894 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-24894 — Improper Privilege Management | cvebase