NIXPKGS-2026-0229

GitHub issue published on 15 Feb 2026

Permalink CVE-2026-24894

updated 3 weeks ago by @LeSuisse Activity log

Created automatic suggestion 3 weeks, 3 days ago
@LeSuisse accepted 3 weeks ago
@LeSuisse published on GitHub 3 weeks ago

FrankenPHP leaks session data between requests in worker mode

FrankenPHP is a modern application server for PHP. Prior to 1.11.2, when running FrankenPHP in worker mode, the $_SESSION superglobal is not correctly reset between requests. This allows a subsequent request processed by the same worker to access the $_SESSION data of the previous request (potentially belonging to a different user) before session_start() is called. This vulnerability is fixed in 1.11.2.

References

https://github.com/php/frankenphp/commit/24d6c991a7761b638190eb081deae258143e9735 x_refsource_MISC
https://github.com/php/frankenphp/releases/tag/v1.11.2 x_refsource_MISC
https://github.com/php/frankenphp/security/advisories/GHSA-r3xh-3r3w-47gp x_refsource_CONFIRM

Affected products

frankenphp

==< 1.11.2

Matching in nixpkgs

pkgs.frankenphp

Modern PHP app server

nixos-unstable 1.11.1
- nixpkgs-unstable 1.11.1
- nixos-unstable-small 1.11.1
nixos-25.11 1.9.1
- nixos-25.11-small 1.9.1
- nixpkgs-25.11-darwin 1.9.1

Package maintainers

@gaelreyrol Gaël Reyrol <me@gaelreyrol.dev>
@shyim Soner Sayakci <s.sayakci@gmail.com>

Upstream advisory: https://github.com/php/frankenphp/security/advisories/GHSA-r3xh-3r3w-47gp
Upstream patch: https://github.com/php/frankenphp/commit/24d6c991a7761b638190eb081deae258143e9735

Nixpkgs Security Tracker

Details of issue NIXPKGS-2026-0229

References

Affected products

Matching in nixpkgs

pkgs.frankenphp

Package maintainers