Skip to main content

Rack CVE-2026-26962

| EUVDEUVD-2026-18417 MEDIUM
Improper Neutralization of CRLF Sequences ('CRLF Injection') (CWE-93)
2026-04-02 GitHub_M GHSA-rx22-g9mx-qrhv
4.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.8 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
SUSE
MEDIUM
qualitative
Red Hat
4.8 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Patch released
Apr 03, 2026 - 02:30 nvd
Patch available
EUVD ID Assigned
Apr 02, 2026 - 17:30 euvd
EUVD-2026-18417
Analysis Generated
Apr 02, 2026 - 17:30 vuln.today
CVE Published
Apr 02, 2026 - 17:10 nvd
MEDIUM 4.8

DescriptionGitHub Advisory

Rack is a modular Ruby web server interface. From version 3.2.0 to before version 3.2.6, Rack::Multipart::Parser unfolds folded multipart part headers incorrectly. When a multipart header contains an obs-fold sequence, Rack preserves the embedded CRLF in parsed parameter values such as filename or name instead of removing the folded line break during unfolding. As a result, applications that later reuse those parsed values in HTTP response headers may be vulnerable to downstream header injection or response splitting. This issue has been patched in version 3.2.6.

AnalysisAI

Rack versions 3.2.0 through 3.2.5 fail to properly unfold folded multipart headers containing obs-fold sequences, preserving embedded CRLF characters in parsed parameter values like filename and name. This allows unauthenticated remote attackers with high request complexity to inject HTTP response headers or split responses when applications reuse these parsed values, leading to potential session hijacking, cache poisoning, or credential theft. The vulnerability carries a moderate CVSS score of

Technical ContextAI

Rack is a foundational Ruby web server interface library that standardizes HTTP request/response handling across multiple Ruby frameworks. The vulnerability resides in the Rack::Multipart::Parser module, which processes multipart/form-data request bodies per RFC 2045/2046. RFC 5322 defines obs-fold (obsolete line folding) as a CRLF sequence followed by whitespace, used historically to continue header values across multiple lines. RFC 7578 extends this to multipart headers. The parser incorrectly preserves the embedded CRLF within the unfolded value instead of removing it per RFC 5322 Section 2.2.3, which states folded whitespace must be replaced with a single space during unfolding. When applications extract parsed multipart parameters (name, filename) and use them in HTTP response headers without additional sanitization, this leftover CRLF can break the header boundary and inject arbitrary headers or HTTP request content into the response body-a class CWE-93 (Type Confusion) issue that manifests as improper handling of special characters in structured data. The vulnerability affects all Rack versions from 3.2.0 onwards until the patched 3.2.6 release.

RemediationAI

Upgrade Rack to version 3.2.6 or later immediately. In Gemfile, update the rack dependency to gem 'rack', '~> 3.2.6' or gem 'rack', '>= 3.2.6', then run bundle update rack and deploy. If immediate upgrade is not feasible, applications can implement defensive mitigation by explicitly sanitizing multipart parameter values before using them in HTTP response headers-remove or encode any CRLF sequences from filename, name, and other parsed multipart parameters if they are written to response headers. However, patching is the recommended approach. For Rails applications, ensure you are using a Rails version that depends on patched Rack (Rails 8.0.1+ or equivalent maintenance releases; check Rails release notes against your version). See GitHub security advisory GHSA-rx22-g9mx-qrhv for additional context.

More in Rack

View all
CVE-2026-22860 HIGH POC
7.5 Feb 18

Directory traversal in Rack versions prior to 2.2.22, 3.1.20, and 3.2.5 allows unauthenticated remote attackers to list

CVE-2024-26141 HIGH POC
7.5 Feb 29

Rack is a modular Ruby web server interface. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable,

CVE-2024-25126 HIGH POC
7.5 Feb 29

Rack is a modular Ruby web server interface. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable,

CVE-2020-8184 HIGH POC
7.5 Jun 19

A reliance on cookies without validation/integrity check security vulnerability exists in rack < 2.2.3, rack < 2.1.4 tha

CVE-2022-30123 CRITICAL
10.0 Dec 05

A sequence injection vulnerability exists in Rack <2.0.9.1, <2.1.4.1 and <2.2.3.1 which could allow is a possible shell

CVE-2025-25184 MEDIUM POC
5.7 Feb 12

Rack provides an interface for developing web applications in Ruby. Rated medium severity (CVSS 5.7), this vulnerability

CVE-2026-25500 MEDIUM POC
5.4 Feb 18

Rack's Directory module fails to sanitize filenames when generating HTML directory listings, allowing attackers to craft

CVE-2020-8161 HIGH
8.6 Jul 02

A directory traversal vulnerability exists in rack < 2.2.0 that allows an attacker perform directory traversal vulnerabi

CVE-2013-0263 MEDIUM
5.1 Feb 08

Rack::Session::Cookie in Rack 1.5.x before 1.5.2, 1.4.x before 1.4.5, 1.3.x before 1.3.10, 1.2.x before 1.2.8, and 1.1.x

CVE-2025-46727 HIGH
7.5 May 07

Rack is a modular Ruby web server interface. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable,

CVE-2015-3225 MEDIUM
5.0 Jul 26

lib/rack/utils.rb in Rack before 1.5.4 and 1.6.x before 1.6.2, as used with Ruby on Rails 3.x and 4.x and other products

CVE-2025-59830 HIGH
7.5 Sep 25

Rack is a modular Ruby web server interface. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable,

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 16.1 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Public Cloud 15 SP7 Fixed

Share

CVE-2026-26962 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy