CVE-2026-24894 Overview
CVE-2026-24894 is a session data leak vulnerability affecting FrankenPHP, a modern application server for PHP. When running FrankenPHP in worker mode, the $_SESSION superglobal is not correctly reset between requests. This flaw allows a subsequent request processed by the same worker to access the $_SESSION data of the previous request (potentially belonging to a different user) before session_start() is called.
This vulnerability represents a significant information disclosure risk in multi-tenant environments where session isolation is critical for maintaining user privacy and security boundaries.
Critical Impact
Unauthorized access to sensitive session data belonging to other users, potentially enabling session hijacking, identity theft, and exposure of personally identifiable information (PII) stored in PHP sessions.
Affected Products
- FrankenPHP versions prior to 1.11.2
- FrankenPHP deployments running in worker mode
- PHP applications using session management on vulnerable FrankenPHP instances
Discovery Timeline
- 2026-02-12 - CVE CVE-2026-24894 published to NVD
- 2026-02-12 - Last updated in NVD database
Technical Details for CVE-2026-24894
Vulnerability Analysis
This vulnerability stems from improper cleanup of the $_SESSION superglobal between requests when FrankenPHP operates in worker mode. Unlike traditional PHP-FPM deployments where each request runs in isolated process contexts, worker mode reuses the same PHP execution environment across multiple requests for performance optimization.
The root issue lies in how PHP's session handling interacts with FrankenPHP's worker architecture. While the session RSHUTDOWN (request shutdown) mechanism decrements the reference count of session variables, it fails to remove the $_SESSION entry from the symbol table. This leaves residual session data accessible to subsequent requests handled by the same worker process.
An attacker exploiting this vulnerability could potentially access sensitive user data including authentication tokens, user preferences, shopping cart contents, or any other data stored in PHP sessions. The exploitation requires no special privileges and can be triggered remotely through normal HTTP requests.
Root Cause
The vulnerability exists because $_SESSION is stored differently from other PHP superglobals. Unlike $_GET, $_POST, and similar variables, $_SESSION is stored in EG(symbol_table) with a reference to PS(http_session_vars). During request shutdown, the session handler only decrements the refcount but does not explicitly remove the symbol table entry, causing session data to persist and leak between worker requests.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability by:
- Sending a request to a FrankenPHP server running in worker mode
- The request gets assigned to a worker that previously processed another user's session
- Before session_start() is called in the attacker's request, the previous user's $_SESSION data remains accessible
- The attacker's application code may inadvertently expose or process the leaked session data
// Security patch from FrankenPHP commit 24d6c991a7761b638190eb081deae258143e9735
// fix(worker): session leak between requests
zval *files = &PG(http_globals)[TRACK_VARS_FILES];
zval_ptr_dtor_nogc(files);
memset(files, 0, sizeof(*files));
+ /* $_SESSION must be explicitly deleted from the symbol table.
+ * Unlike other superglobals, $_SESSION is stored in EG(symbol_table)
+ * with a reference to PS(http_session_vars). The session RSHUTDOWN
+ * only decrements the refcount but doesn't remove it from the symbol
+ * table, causing data to leak between requests. */
+ zend_hash_str_del(&EG(symbol_table), "_SESSION", sizeof("_SESSION") - 1);
}
zend_end_try();
Source: GitHub Commit Update
Detection Methods for CVE-2026-24894
Indicators of Compromise
- Unexpected session data appearing in application logs before session_start() calls
- User reports of seeing other users' data or account information
- Anomalous session variable contents that don't match current request context
- Application errors related to session type mismatches or unexpected session keys
Detection Strategies
- Monitor application logs for session-related anomalies where session data appears before initialization
- Implement application-level checks to validate session ownership immediately after session_start()
- Deploy network monitoring to identify patterns of rapid sequential requests to worker-mode endpoints
- Audit PHP code for any access to $_SESSION variables before session_start() is called
Monitoring Recommendations
- Enable verbose logging for FrankenPHP worker processes to track request-to-worker assignments
- Implement session integrity checks that verify user identifiers match authenticated sessions
- Configure alerting for applications reporting session data inconsistencies
- Review FrankenPHP deployment configurations to identify worker mode usage
How to Mitigate CVE-2026-24894
Immediate Actions Required
- Upgrade FrankenPHP to version 1.11.2 or later immediately
- If immediate upgrade is not possible, consider temporarily switching from worker mode to standard mode
- Audit applications for any code that accesses $_SESSION before calling session_start()
- Review session handling code to ensure session_start() is called as early as possible in request processing
Patch Information
The vulnerability has been fixed in FrankenPHP version 1.11.2. The patch explicitly removes the $_SESSION entry from the symbol table during request cleanup, preventing session data from leaking to subsequent requests.
- Fixed Version:1.11.2
- Patch Commit:24d6c991a7761b638190eb081deae258143e9735
- Release Notes:GitHub Release v1.11.2
- Security Advisory:GHSA-r3xh-3r3w-47gp
Workarounds
- Call session_start() as the first operation in your PHP application entry point to minimize the window of exposure
- Avoid accessing $_SESSION superglobal before explicitly initializing the session
- Consider using alternative session storage mechanisms that don't rely on $_SESSION superglobal
- Temporarily disable worker mode in favor of traditional PHP-FPM if upgrading is not immediately possible
# Update FrankenPHP to patched version
# Using Docker
docker pull dunglas/frankenphp:1.11.2
# Verify version after update
frankenphp version
# Expected output should show 1.11.2 or later
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
