What is the CVSS score of CVE-2026-26962?

CVE-2026-26962 has a CVSS 3.1 base score of 4.8 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N. EPSS exploitation probability: 0.0%.

Is there a patch available for CVE-2026-26962?

Yes, a patch is available for CVE-2026-26962. Update the affected software to the latest version immediately.

Rack CVE-2026-26962

EUVD-2026-18417 MEDIUM

Improper Neutralization of CRLF Sequences ('CRLF Injection') (CWE-93)

2026-04-02 GitHub_M

GHSA-rx22-g9mx-qrhv

Code Injection

4.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

Lifecycle Timeline

Patch released

Apr 03, 2026 - 02:30 nvd

Patch available

EUVD ID Assigned

Apr 02, 2026 - 17:30 euvd

EUVD-2026-18417

Analysis Generated

Apr 02, 2026 - 17:30 vuln.today

CVE Published

Apr 02, 2026 - 17:10 nvd

MEDIUM 4.8

DescriptionNVD

Rack is a modular Ruby web server interface. From version 3.2.0 to before version 3.2.6, Rack::Multipart::Parser unfolds folded multipart part headers incorrectly. When a multipart header contains an obs-fold sequence, Rack preserves the embedded CRLF in parsed parameter values such as filename or name instead of removing the folded line break during unfolding. As a result, applications that later reuse those parsed values in HTTP response headers may be vulnerable to downstream header injection or response splitting. This issue has been patched in version 3.2.6.

AnalysisAI

Rack versions 3.2.0 through 3.2.5 fail to properly unfold folded multipart headers containing obs-fold sequences, preserving embedded CRLF characters in parsed parameter values like filename and name. This allows unauthenticated remote attackers with high request complexity to inject HTTP response headers or split responses when applications reuse these parsed values, leading to potential session hijacking, cache poisoning, or credential theft. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Vendor StatusVendor

CVE-2026-26962 vulnerability details – vuln.today

Back

Rack CVE-2026-26962

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Full analysis requires sign-in

Vendor StatusVendor

Share

External POC / Exploit Code