CVE-2026-24894 is a vulnerability in the FrankenPHP application server for PHP, specifically affecting versions prior to 1.11.2 when running in worker mode. The issue stems from improper privilege management and session handling, where the $_SESSION superglobal variable is not correctly reset between HTTP requests processed by the same worker process. As a result, a subsequent request can access the session data of a previous request, potentially belonging to a different user, before the session_start() function is invoked. This leads to a confidentiality breach, as sensitive session information such as authentication tokens, user preferences, or other private data may be exposed across user sessions. The vulnerability is categorized under CWE-269 (Improper Privilege Management), CWE-384 (Session Fixation), and CWE-613 (Insufficient Session Expiration). The flaw does not require any authentication or user interaction to be exploited, and the attack vector is network-based, making it remotely exploitable. The vulnerability was publicly disclosed on February 12, 2026, and fixed in FrankenPHP version 1.11.2. No known exploits are currently reported in the wild, but the high CVSS 4.0 score of 8.7 indicates a significant risk. This vulnerability primarily impacts web applications relying on FrankenPHP in worker mode, which is designed for high-performance PHP application hosting by reusing worker processes for multiple requests. The failure to isolate session data between requests violates fundamental session management principles, potentially allowing attackers or malicious users to hijack or leak session information from other users sharing the same worker.

For European organizations, this vulnerability poses a serious risk to user data confidentiality and privacy, especially for those operating web applications or services using FrankenPHP in worker mode. Exposure of session data can lead to unauthorized access to user accounts, leakage of personally identifiable information (PII), and potential compliance violations under GDPR due to inadequate protection of user data. The impact extends to reputational damage, loss of customer trust, and potential financial penalties. Organizations in sectors such as finance, e-commerce, healthcare, and government services are particularly vulnerable due to the sensitive nature of their data and regulatory requirements. Since the vulnerability allows cross-user session data leakage without authentication, attackers can exploit it remotely with minimal effort. This can facilitate further attacks such as account takeover, privilege escalation, or data exfiltration. The shared worker model in FrankenPHP amplifies the risk by enabling session data crossover between unrelated users. The absence of known exploits in the wild currently provides a window for mitigation, but the high severity score necessitates urgent action to prevent exploitation.

The primary mitigation is to upgrade all FrankenPHP deployments to version 1.11.2 or later, where the session reset issue is fixed. Organizations should audit their current FrankenPHP versions and prioritize patching in production environments. Additionally, review and enforce strict session management policies, ensuring that session data is properly isolated and cleared between requests, especially in worker or multi-threaded modes. Implement monitoring and logging to detect anomalous session access patterns that may indicate exploitation attempts. Consider deploying web application firewalls (WAFs) with custom rules to detect and block suspicious requests targeting session handling endpoints. For critical applications, conduct penetration testing focused on session management to verify the effectiveness of mitigations. Educate developers and system administrators about secure session handling best practices, including avoiding reliance on shared worker memory for session storage. Finally, maintain an incident response plan to quickly address any detected exploitation or data leakage incidents related to this vulnerability.