Description

FrankenPHP is a modern application server for PHP. Prior to 1.11.2, when running FrankenPHP in worker mode, the $_SESSION superglobal is not correctly reset between requests. This allows a subsequent request processed by the same worker to access the $_SESSION data of the previous request (potentially belonging to a different user) before session_start() is called. This vulnerability is fixed in 1.11.2.

INFO

Published Date :

2026-02-12T19:12:04.387Z

Last Modified :

2026-02-12T20:04:57.869Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-24894 vulnerability.

Vendors Products
Php
  • Frankenphp
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-24894.

URL Resource
https://github.com/php/frankenphp/commit/24d6c991a7761b638190eb081deae258143e9735 cve-icon cve-icon
https://github.com/php/frankenphp/releases/tag/v1.11.2 cve-icon cve-icon
https://github.com/php/frankenphp/security/advisories/GHSA-r3xh-3r3w-47gp cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability
Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact