Skip to main content

Rack CVE-2026-34785

| EUVDEUVD-2026-18382 HIGH
Partial String Comparison (CWE-187)
2026-04-02 security-advisories@github.com GHSA-h2jq-g4cq-5ppq
7.5
CVSS 3.1 · Vendor: github
Share

Severity by source

Vendor (github) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
SUSE
HIGH
qualitative
Red Hat
7.5 HIGH
qualitative

Primary rating from Vendor (github).

CVSS VectorVendor: github

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

5
Re-analysis Queued
Apr 16, 2026 - 17:22 vuln.today
cvss_changed
Patch released
Apr 03, 2026 - 02:30 nvd
Patch available
EUVD ID Assigned
Apr 02, 2026 - 17:22 euvd
EUVD-2026-18382
Analysis Generated
Apr 02, 2026 - 17:22 vuln.today
CVE Published
Apr 02, 2026 - 17:16 nvd
HIGH 7.5

DescriptionCVE.org

Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Static determines whether a request should be served as a static file using a simple string prefix check. When configured with URL prefixes such as "/css", it matches any request path that begins with that string, including unrelated paths such as "/css-config.env" or "/css-backup.sql". As a result, files under the static root whose names merely share the configured prefix may be served unintentionally, leading to information disclosure. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.

AnalysisAI

Information disclosure in Rack web server interface (versions <2.2.23, <3.1.21, <3.2.6) allows unauthenticated remote attackers to access sensitive files due to flawed prefix matching in Rack::Static. The vulnerability enables access to unintended files sharing configured URL prefixes (e.g., '/css' matching '/css-backup.sql'), exposing configuration files, database backups, or environment variables. CVSS 7.5 (High) with network vector and no complexity. No public exploit identified at time of analysis.

Technical ContextAI

Rack is a minimal Ruby web server interface that sits between web servers and Ruby frameworks. The Rack::Static middleware component serves static assets by matching request paths against configured URL prefixes. The vulnerability stems from CWE-187 (Representation Error), specifically an improper string prefix check that uses simple begins-with logic rather than path boundary validation. When administrators configure static file serving with prefixes like '/css', the middleware incorrectly matches any path starting with those characters ('/css-config.env', '/css-backup.sql', '/cssadmin') rather than limiting matches to the intended directory structure ('/css/'). This allows traversal beyond intended static directories when filenames in the document root happen to share the prefix string. The flaw affects the core static file serving logic across multiple Rack major versions, impacting any Ruby web application using Rack::Static with prefix-based routing.

RemediationAI

Upgrade Rack to patched versions immediately: version 2.2.23 for 2.x deployments, version 3.1.21 for 3.1.x deployments, or version 3.2.6 for 3.2.x deployments. Update the Rack gem dependency in your Gemfile or gemspec and run bundle update rack to apply the fix. After upgrading, review Rack::Static configuration to ensure prefix strings include trailing slashes ('/css/' instead of '/css') as a defense-in-depth measure, though the patch corrects the underlying matching logic. Organizations unable to upgrade immediately should audit static file root directories for sensitive files with names that could match configured prefixes and relocate or remove such files. Review web server logs for suspicious access patterns to files outside intended static directories. Consult the GitHub security advisory at https://github.com/rack/rack/security/advisories/GHSA-h2jq-g4cq-5ppq for official remediation guidance and any additional workarounds.

More in Rack

View all
CVE-2026-22860 HIGH POC
7.5 Feb 18

Directory traversal in Rack versions prior to 2.2.22, 3.1.20, and 3.2.5 allows unauthenticated remote attackers to list

CVE-2024-26141 HIGH POC
7.5 Feb 29

Rack is a modular Ruby web server interface. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable,

CVE-2024-25126 HIGH POC
7.5 Feb 29

Rack is a modular Ruby web server interface. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable,

CVE-2020-8184 HIGH POC
7.5 Jun 19

A reliance on cookies without validation/integrity check security vulnerability exists in rack < 2.2.3, rack < 2.1.4 tha

CVE-2022-30123 CRITICAL
10.0 Dec 05

A sequence injection vulnerability exists in Rack <2.0.9.1, <2.1.4.1 and <2.2.3.1 which could allow is a possible shell

CVE-2025-25184 MEDIUM POC
5.7 Feb 12

Rack provides an interface for developing web applications in Ruby. Rated medium severity (CVSS 5.7), this vulnerability

CVE-2026-25500 MEDIUM POC
5.4 Feb 18

Rack's Directory module fails to sanitize filenames when generating HTML directory listings, allowing attackers to craft

CVE-2020-8161 HIGH
8.6 Jul 02

A directory traversal vulnerability exists in rack < 2.2.0 that allows an attacker perform directory traversal vulnerabi

CVE-2013-0263 MEDIUM
5.1 Feb 08

Rack::Session::Cookie in Rack 1.5.x before 1.5.2, 1.4.x before 1.4.5, 1.3.x before 1.3.10, 1.2.x before 1.2.8, and 1.1.x

CVE-2025-46727 HIGH
7.5 May 07

Rack is a modular Ruby web server interface. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable,

CVE-2015-3225 MEDIUM
5.0 Jul 26

lib/rack/utils.rb in Rack before 1.5.4 and 1.6.x before 1.6.2, as used with Ruby on Rails 3.x and 4.x and other products

CVE-2025-59830 HIGH
7.5 Sep 25

Rack is a modular Ruby web server interface. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable,

Vendor StatusVendor

SUSE

Severity: High
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 16.1 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-34785 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy