Platform
go
Component
github.com/dunglas/frankenphp
Fixed in
1.11.3
1.11.2
CVE-2026-24894 describes a session data leak vulnerability in FrankenPHP, a PHP testing tool. This flaw occurs specifically when FrankenPHP is running in worker mode, allowing attackers to potentially access sensitive session information. The vulnerability affects versions 1.11.1 and earlier, and a fix is available in version 1.11.2.
The core of this vulnerability lies in how FrankenPHP handles session data within its worker mode. In worker mode, FrankenPHP executes PHP code in separate processes. Due to a flaw in the session management, data from one request can inadvertently be exposed to subsequent requests processed by the same worker. An attacker could exploit this to gain unauthorized access to sensitive information stored in the session, such as API keys, user credentials, or other application-specific data. The potential impact is significant, particularly in environments where FrankenPHP is used to test applications handling sensitive data, as it could lead to data breaches and compromise of application security.
CVE-2026-24894 was publicly disclosed on 2026-02-17. There are currently no known public proof-of-concept exploits available. The vulnerability is not listed on the CISA KEV catalog at the time of writing. Given the nature of the vulnerability and the lack of public exploits, the probability of exploitation is currently considered low to medium.
Exploit Status
EPSS
0.04% (13% percentile)
CISA SSVC
The primary mitigation for CVE-2026-24894 is to upgrade FrankenPHP to version 1.11.2 or later, which contains the fix for the session data leak. If an immediate upgrade is not feasible due to compatibility concerns or testing requirements, consider temporarily disabling worker mode if it's not essential for your testing workflow. While not a complete solution, this reduces the attack surface. Thoroughly review your FrankenPHP configuration to ensure that session handling is as secure as possible. There are no specific WAF rules or detection signatures readily available for this vulnerability, emphasizing the importance of timely patching.
Update FrankenPHP to version 1.11.2 or higher. This version fixes the vulnerability that allows session data leakage between requests in worker mode. The update ensures that session data is correctly reset between requests, preventing unauthorized access to information from other users.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-24894 is a HIGH severity vulnerability in FrankenPHP where session data is leaked between requests in worker mode, potentially exposing sensitive information.
Yes, if you are using FrankenPHP versions 1.11.1 or earlier and utilizing worker mode, you are vulnerable to this session data leak.
Upgrade FrankenPHP to version 1.11.2 or later to resolve the vulnerability. If immediate upgrade is not possible, consider disabling worker mode.
Currently, there are no known public exploits or confirmed active exploitation campaigns targeting CVE-2026-24894.
Refer to the official FrankenPHP repository and release notes for details on the vulnerability and the fix: https://github.com/dunglas/frankenphp
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.