CVE-2026-24894 – This vulnerability in FrankenPHP worker mode al... (How to Fix)

Q: What is the severity of CVE-2026-24894?

CVE-2026-24894 has a CVSS score of 7.5 (HIGH). This vulnerability in FrankenPHP worker mode allows session data from one user's request to be accessible to another user's request processed by the same worker. This affects all FrankenPHP deployments running in worker mode with session handling. The issue occurs before session_start() is called, potentially exposing sensitive session data.

📋 TL;DR

This vulnerability in FrankenPHP worker mode allows session data from one user's request to be accessible to another user's request processed by the same worker. This affects all FrankenPHP deployments running in worker mode with session handling. The issue occurs before session_start() is called, potentially exposing sensitive session data.

💻 Affected Systems

Products:

FrankenPHP

Versions: All versions prior to 1.11.2

Operating Systems: All platforms running FrankenPHP

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects deployments running in worker mode with session handling enabled.

📦 What is this software?

Frankenphp by Php

View all CVEs affecting Frankenphp →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full session hijack where an attacker gains access to authenticated user sessions, potentially leading to account takeover, data theft, or privilege escalation.

🟠

Likely Case

Information disclosure where users can see fragments of other users' session data, potentially exposing personal information or application state.

🟢

If Mitigated

Limited exposure if sessions contain minimal sensitive data or if additional session validation is implemented.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires understanding of FrankenPHP worker scheduling and session handling. No public exploit code available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.11.2

Vendor Advisory: https://github.com/php/frankenphp/security/advisories/GHSA-r3xh-3r3w-47gp

Restart Required: No

Instructions:

Update FrankenPHP to version 1.11.2 or later using your package manager
For manual installation: download from https://github.com/php/frankenphp/releases/tag/v1.11.2
Replace existing FrankenPHP binary with patched version
No application restart required - workers will pick up new binary on next request

🔧 Temporary Workarounds

Disable Worker Mode

all

Run FrankenPHP in traditional mode instead of worker mode to avoid the vulnerability

Modify FrankenPHP configuration to use traditional mode instead of worker mode

Session Isolation

all

Implement application-level session validation to ensure session data belongs to current user

Add session validation logic in application code before using $_SESSION

🧯 If You Can't Patch

Implement strict session validation in application code before accessing $_SESSION
Consider migrating to traditional mode instead of worker mode

🔍 How to Verify

Check if Vulnerable:

Check FrankenPHP version and confirm if running in worker mode with session handling

Check Version:

frankenphp --version

Verify Fix Applied:

Verify FrankenPHP version is 1.11.2 or higher and test session isolation between requests

📡 Detection & Monitoring

Log Indicators:

Multiple users reporting seeing other users' data
Session-related errors or anomalies in application logs

Network Indicators:

Unusual session activity patterns
Multiple session creations from same worker

SIEM Query:

Search for application errors containing 'session' or '$_SESSION' anomalies across multiple user IDs

📊 Metadata

CVE ID: CVE-2026-24894

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-269

EPSS Score: 0.04% exploit probability (11.4th percentile)

Published: February 12, 2026

Last Updated: February 20, 2026

🔗 References

https://github.com/php/frankenphp/commit/24d6c991a7761b638190eb081deae258143e9735 Patch
https://github.com/php/frankenphp/releases/tag/v1.11.2 Release Notes
https://github.com/php/frankenphp/security/advisories/GHSA-r3xh-3r3w-47gp Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-24894, you might also want to check these: