Skip to main content

Rack CVE-2026-32762

| EUVDEUVD-2026-18423 MEDIUM
Interpretation Conflict (CWE-436)
2026-04-02 GitHub_M GHSA-qfgr-crr9-7r49
4.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.8 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
SUSE
MEDIUM
qualitative
Red Hat
4.8 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Patch released
Apr 03, 2026 - 02:30 nvd
Patch available
EUVD ID Assigned
Apr 02, 2026 - 17:30 euvd
EUVD-2026-18423
Analysis Generated
Apr 02, 2026 - 17:30 vuln.today
CVE Published
Apr 02, 2026 - 17:06 nvd
MEDIUM 4.8

DescriptionGitHub Advisory

Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 to before 3.1.21 and 3.2.0 to before 3.2.6, Rack::Utils.forwarded_values parses the RFC 7239 Forwarded header by splitting on semicolons before handling quoted-string values. Because quoted values may legally contain semicolons, a header can be interpreted by Rack as multiple Forwarded directives rather than as a single quoted for value. In deployments where an upstream proxy, WAF, or intermediary validates or preserves quoted Forwarded values differently, this discrepancy can allow an attacker to smuggle host, proto, for, or by parameters through a single header value. This issue has been patched in versions 3.1.21 and 3.2.6.

AnalysisAI

Rack::Utils.forwarded_values in Rack 3.0.0.beta1 through 3.1.20 and 3.2.0 through 3.2.5 misparses RFC 7239 Forwarded headers by splitting on semicolons before processing quoted strings, allowing attackers to inject or smuggle host, proto, for, or by parameters when an upstream proxy or WAF interprets the same header differently. The vulnerability affects request routing and protocol detection logic, enabling potential cache poisoning, host header injection, or protocol confusion attacks in architectures where intermediaries validate quoted Forwarded values inconsistently. No public exploit code or active exploitation has been confirmed at the time of analysis.

Technical ContextAI

Rack is a modular Ruby web application server interface (WSGI-equivalent for Ruby) that standardizes how HTTP requests are processed. The Rack::Utils.forwarded_values method implements RFC 7239 Forwarded header parsing to extract client IP addresses, protocols, and hostnames from proxied requests. The vulnerability stems from improper parsing order: the code splits header values on semicolons (which delimit Forwarded directives per RFC 7239) before decoding quoted-string values, violating RFC 5234 rules where quoted strings may legitimately contain semicolons when escaped or quoted. This creates a parser differential where Rack splits a single quoted directive into multiple directives, while RFC-compliant upstream proxies or WAFs treat it as a single value. The affected CPE (cpe:2.3:a:rack:rack:*:*:*:*:*:*:*:*) indicates all Rack versions in the 3.0 and 3.2 branches before patching are vulnerable. The root cause is classified under CWE-436 (Interpretation Conflict), a parser differentiation vulnerability.

RemediationAI

Vendor-released patch: upgrade to Rack 3.1.21 or 3.2.6 or later, which correctly parse quoted-string values in RFC 7239 Forwarded headers before splitting on semicolons. For Ruby on Rails users, ensure Gemfile.lock specifies the patched Rack version and run bundle update rack. If immediate patching is not feasible, disable or sanitize Forwarded header processing if not required (e.g., by configuring upstream proxies to strip untrusted Forwarded headers before forwarding to Rack), or validate that upstream intermediaries and Rack use identical RFC 7239 parsing logic. Refer to the official advisory at https://github.com/rack/rack/security/advisories/GHSA-qfgr-crr9-7r49 for details. Test patched deployments to ensure Forwarded header parsing behaves as expected, especially in multi-proxy setups.

More in Rack

View all
CVE-2026-22860 HIGH POC
7.5 Feb 18

Directory traversal in Rack versions prior to 2.2.22, 3.1.20, and 3.2.5 allows unauthenticated remote attackers to list

CVE-2024-26141 HIGH POC
7.5 Feb 29

Rack is a modular Ruby web server interface. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable,

CVE-2024-25126 HIGH POC
7.5 Feb 29

Rack is a modular Ruby web server interface. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable,

CVE-2020-8184 HIGH POC
7.5 Jun 19

A reliance on cookies without validation/integrity check security vulnerability exists in rack < 2.2.3, rack < 2.1.4 tha

CVE-2022-30123 CRITICAL
10.0 Dec 05

A sequence injection vulnerability exists in Rack <2.0.9.1, <2.1.4.1 and <2.2.3.1 which could allow is a possible shell

CVE-2025-25184 MEDIUM POC
5.7 Feb 12

Rack provides an interface for developing web applications in Ruby. Rated medium severity (CVSS 5.7), this vulnerability

CVE-2026-25500 MEDIUM POC
5.4 Feb 18

Rack's Directory module fails to sanitize filenames when generating HTML directory listings, allowing attackers to craft

CVE-2020-8161 HIGH
8.6 Jul 02

A directory traversal vulnerability exists in rack < 2.2.0 that allows an attacker perform directory traversal vulnerabi

CVE-2013-0263 MEDIUM
5.1 Feb 08

Rack::Session::Cookie in Rack 1.5.x before 1.5.2, 1.4.x before 1.4.5, 1.3.x before 1.3.10, 1.2.x before 1.2.8, and 1.1.x

CVE-2025-46727 HIGH
7.5 May 07

Rack is a modular Ruby web server interface. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable,

CVE-2015-3225 MEDIUM
5.0 Jul 26

lib/rack/utils.rb in Rack before 1.5.4 and 1.6.x before 1.6.2, as used with Ruby on Rails 3.x and 4.x and other products

CVE-2025-59830 HIGH
7.5 Sep 25

Rack is a modular Ruby web server interface. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable,

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 16.1 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Public Cloud 15 SP7 Fixed

Share

CVE-2026-32762 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy