Skip to main content

Ruby WEBrick CVE-2026-38969

HIGH
HTTP Request/Response Smuggling (CWE-444)
2026-07-02 cve@mitre.org
7.5
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
vuln.today AI
7.5 HIGH

Remote, unauthenticated, low-complexity smuggling with no user interaction; impact is integrity-only (request desync/injection), no direct confidentiality or availability loss, scope unchanged.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (mitre).

CVSS VectorVendor: mitre

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

3
Analysis Generated
Jul 06, 2026 - 18:31 vuln.today
CVSS changed
Jul 06, 2026 - 16:22 NVD
7.5 (HIGH)
CVE Published
Jul 02, 2026 - 21:16 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

ruby webrick through v1.9.2 WEBrick reparses trailer Content-Length into canonical request state, enabling request smuggling.

AnalysisAI

HTTP request smuggling in Ruby's WEBrick HTTP server through v1.9.2 allows remote attackers to desynchronize front-end/back-end request parsing by exploiting how WEBrick reparses a Content-Length value supplied in chunked trailers back into the canonical request state. Any deployment fronting WEBrick with a proxy, load balancer, or CDN that disagrees on message length can have requests smuggled past it, enabling request routing manipulation and information disclosure. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify proxy-fronted WEBrick target
Delivery
Craft chunked request with trailer Content-Length
Exploit
Front-end and WEBrick disagree on length
Execution
Smuggle prefix into next connection request
Persist
Poison routing / capture victim response
Impact
Disclose or manipulate other users' requests

Vulnerability AssessmentAI

Exploitation Exploitation requires that WEBrick (<=1.9.2) process an HTTP request using chunked transfer encoding whose trailer section carries a Content-Length field, which WEBrick then reparses into canonical request state. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base is 7.5 (AV:N/AC:L/PR:N/UI:N/C:N/I:H/A:N) - remotely reachable, low complexity, no authentication, with impact confined to integrity, which is consistent with a smuggling primitive that corrupts request state rather than reading memory or crashing the service. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker sends a single crafted HTTP request through a front-end proxy to a WEBrick back end, using chunked transfer encoding with a trailer-embedded Content-Length that WEBrick honors but the proxy ignores. The length disagreement causes a prefix of the attacker's payload to be treated as the start of the next victim's request on the reused connection, letting the attacker prepend a smuggled request that poisons routing or captures another user's response. …
Remediation Upstream fix available (PR/commit) via https://github.com/ruby/webrick/pull/199; a released, tagged patched version was not provided in the input and is not independently confirmed, so upgrade the `webrick` gem to the first release incorporating PR #199 once published (track the fix reference and https://github.com/ruby/webrick/issues/198). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all production systems running Ruby WEBrick versions 1.9.2 or earlier. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2012-0217 HIGH POC
7.2 Jun 12

The x86-64 kernel system-call functionality in Xen 4.1.2 and earlier, as used in Citrix XenServer 6.0.2 and earlier and

CVE-2026-33309 CRITICAL POC
9.9 Mar 19

An authenticated path traversal vulnerability in Langflow's file upload functionality allows attackers to write arbitrar

CVE-2019-7304 CRITICAL POC
9.8 Apr 23

Canonical snapd before version 2.37.1 incorrectly performed socket owner validation, allowing an attacker to run arbitra

CVE-2026-33186 CRITICAL POC
9.1 Mar 18

An authorization bypass vulnerability in gRPC-Go allows attackers to circumvent path-based access control by sending HTT

CVE-2026-50180 HIGH POC
8.7 Jul 02

Arbitrary file read in Langroid's SQLChatAgent (<= 0.63.0) lets an attacker who can influence the LLM-generated SQL exfi

CVE-2020-14966 HIGH POC
7.5 Jun 22

An issue was discovered in the jsrsasign package through 8.0.18 for Node.js. Rated high severity (CVSS 7.5), this vulner

CVE-2020-13822 HIGH POC
7.7 Jun 04

The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' byte

CVE-2026-29181 HIGH POC
7.5 Apr 07

Resource exhaustion in OpenTelemetry Go propagation library (v1.41.0 and earlier) enables remote attackers to trigger se

CVE-2019-7303 HIGH POC
7.5 Apr 23

A vulnerability in the seccomp filters of Canonical snapd before version 2.37.4 allows a strict mode snap to insert char

CVE-2014-4699 MEDIUM POC
6.9 Jul 09

The Linux kernel before 3.15.4 on Intel processors does not properly restrict use of a non-canonical value for the saved

CVE-2017-7725 MEDIUM POC
6.1 Apr 13

concrete5 8.1.0 places incorrect trust in the HTTP Host header during caching, if the administrator did not define a "ca

CVE-2026-48816 MEDIUM POC
6.5 Jul 01

Timestamp forgery in sigstore-js allows an attacker supplying a crafted bundle v0.2 to manipulate certificate validity w

Share

CVE-2026-38969 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy