CVE-2026-24894
HIGH WAF: Low
CVSS 7.5
Published: 2026-02-12
CWE-269
FrankenPHP is a modern application server for PHP. Prior to 1.11.2, when running FrankenPHP in worker mode, the $_SESSION superglobal is not correctly reset between requests. This allows a subsequent request processed by the same worker to access the $_SESSION data of the previous request (potentially belonging to a different user) before session_start() is called. This vulnerability is fixed in 1.11.2.
WAF Coverage Analysis
Improper Privilege Management
Low WAF Coverage
OWASP: A01:2021 Broken Access Control
Affected Software
| Vendor | Product | Version |
|---|---|---|
| php | frankenphp | up to 1.11.2 |
References
- github.com (Patch)
- github.com (Release Notes)
- github.com (Exploit, Vendor Advisory)