Skip to main content

Red Hat EUVDEUVD-2026-18380

| CVE-2026-34763 MEDIUM
Permissive Regular Expression (CWE-625)
2026-04-02 security-advisories@github.com GHSA-7mqq-6cf9-v2qp
5.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
SUSE
MEDIUM
qualitative
Red Hat
5.3 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

4
Patch released
Apr 03, 2026 - 02:30 nvd
Patch available
EUVD ID Assigned
Apr 02, 2026 - 17:22 euvd
EUVD-2026-18380
Analysis Generated
Apr 02, 2026 - 17:22 vuln.today
CVE Published
Apr 02, 2026 - 17:16 nvd
MEDIUM 5.3

DescriptionGitHub Advisory

Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Directory interpolates the configured root path directly into a regular expression when deriving the displayed directory path. If root contains regex metacharacters such as +, *, or ., the prefix stripping can fail and the generated directory listing may expose the full filesystem path in the HTML output. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.

AnalysisAI

Rack web server interface versions prior to 2.2.23, 3.1.21, and 3.2.6 fail to properly escape regex metacharacters when constructing directory path filtering expressions, causing the Rack::Directory component to expose full filesystem paths in HTML directory listings. An unauthenticated remote attacker can retrieve sensitive path information by requesting directory listings when the configured root path contains regex special characters such as +, *, or ., achieving low-confidentiality impact with CVSS 5.3. No public exploit code or active exploitation has been confirmed at time of analysis.

Technical ContextAI

Rack is a modular Ruby web server interface specification (CGI/Rack implemented in gems like WEBrick, Puma, etc.). The vulnerability resides in the Rack::Directory class, which generates HTML directory listings for web-accessible directories. When computing the displayed directory path, Rack::Directory constructs a regular expression to strip the configured root prefix from the full filesystem path. CWE-625 (Permissive Regular Expression) indicates the root cause: the regex pattern is built by directly interpolating the root path string without escaping regex metacharacters. If the root parameter contains characters like '+', '*', '.', '[', or other regex operators, those characters are interpreted as regex syntax rather than literal strings, causing the prefix-stripping regex to fail or match unintended paths. This results in the full filesystem path being included in the HTML output instead of the relative directory path.

RemediationAI

Upgrade Rack to version 2.2.23 (for 2.2.x branch), 3.1.21 (for 3.1.x branch), or 3.2.6 (for 3.2.x branch) or later. For Ruby on Rails applications, this typically requires updating the Gemfile lock via 'bundle update rack'. For standalone Rack-based applications, update the Gemfile and run 'bundle install'. Verify the patched version is active after deployment by checking Rack::VERSION. No workarounds are available short of disabling Rack::Directory listings or ensuring root paths contain no regex metacharacters. See GitHub Security Advisory GHSA-7mqq-6cf9-v2qp for additional details and verification steps.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 16.1 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-18380 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy