CVE-2026-22860
published 2026-02-18CVE-2026-22860: Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5, `Rack::Directory`’s path check used a string prefix match on the…
PriorityP350high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
0.66%
47.1th percentile
Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5, `Rack::Directory`’s path check used a string prefix match on the expanded path. A request like `/../root_example/` can escape the configured root if the target path starts with the root string, allowing directory listing outside the intended root. Versions 2.2.22, 3.1.20, and 3.2.5 fix the issue.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | ruby-rack | < ruby-rack 2.2.22-0+deb12u1 (bookworm) | ruby-rack 2.2.22-0+deb12u1 (bookworm) |
| rack | rack | < 2.2.22 | 2.2.22 |
| rack | rack | — | — |
| rack | rack | — | — |
| rack | rack | >= 0 < 2.2.22 | 2.2.22 |
| rack | rack | >= 3.0.0 < 3.1.20 | 3.1.20 |
| rack | rack | >= 3.0.0.beta1 < 3.1.20 | 3.1.20 |
| rack | rack | >= 3.2.0 < 3.2.5 | 3.2.5 |
| rack | rack | >= 3.2.0 < 3.2.5 | 3.2.5 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
osv7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
vendor_ubuntu7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Rack vulnerabilities
vendor_ubuntu·2026-02-26·CVSS 7.5
CVE-2026-25500 [HIGH] Rack vulnerabilities
Title: Rack vulnerabilities
Summary: Several security issues were fixed in Rack.
Minh Pham Quang discovered that Rack did not correctly handle parsing
certain paths, which could lead to a path traversal attack. An attacker
could possibly use this issue to leak sensitive information.
(CVE-2026-22860)
Ali Firas discovered that Rack did not correctly sanitize certain inputs.
An attacker could possibly use this issue to execute arbitrary code.
(CVE-2026-25500)
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
rubygem-rack: Rack Directory Traversal via Rack:Directory
vendor_redhat·2026-02-18·CVSS 7.5
CVE-2026-22860 [HIGH] CWE-22 rubygem-rack: Rack Directory Traversal via Rack:Directory
rubygem-rack: Rack Directory Traversal via Rack:Directory
Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5, `Rack::Directory`’s path check used a string prefix match on the expanded path. A request like `/../root_example/` can escape the configured root if the target path starts with the root string, allowing directory listing outside the intended root. Versions 2.2.22, 3.1.20, and 3.2.5 fix the issue.
A path traversal flaw has been discovered in the rubygem Rack. Rack::Directory’s path check used a string prefix match on the expanded path. A request like /../root_example/ can escape the configured root if the target path starts with the root string, allowing directory listing outside the intended root. In directory.rb, File.expand_path(File.join(r
Debian
CVE-2026-22860: ruby-rack - Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, a...
vendor_debian·2026·CVSS 7.5
CVE-2026-22860 [HIGH] CVE-2026-22860: ruby-rack - Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, a...
Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5, `Rack::Directory`’s path check used a string prefix match on the expanded path. A request like `/../root_example/` can escape the configured root if the target path starts with the root string, allowing directory listing outside the intended root. Versions 2.2.22, 3.1.20, and 3.2.5 fix the issue.
Scope: local
bookworm: resolved (fixed in 2.2.22-0+deb12u1)
bullseye: resolved (fixed in 2.1.4-3+deb11u5)
forky: resolved (fixed in 3.2.5-1)
sid: resolved (fixed in 3.2.5-1)
trixie: resolved (fixed in 3.1.20-0+deb13u1)
VulDB
Rack up to 2.2.21/3.1.19/3.2.4 Rack::Directory path traversal (GHSA-mxw3-3hh2-x2mh / Nessus ID 299587)
vuldb·2026-07-01·CVSS 7.5
CVE-2026-22860 [HIGH] Rack up to 2.2.21/3.1.19/3.2.4 Rack::Directory path traversal (GHSA-mxw3-3hh2-x2mh / Nessus ID 299587)
A vulnerability, which was classified as critical, was found in Rack up to 2.2.21/3.1.19/3.2.4. This affects the function Rack::Directory. The manipulation results in path traversal.
This vulnerability is identified as CVE-2026-22860. The attack can be executed remotely. There is not any exploit available.
You should upgrade the affected component.
OSV
ruby-rack vulnerabilities
osv·2026-02-26·CVSS 7.5
CVE-2026-22860 [HIGH] ruby-rack vulnerabilities
ruby-rack vulnerabilities
Minh Pham Quang discovered that Rack did not correctly handle parsing
certain paths, which could lead to a path traversal attack. An attacker
could possibly use this issue to leak sensitive information.
(CVE-2026-22860)
Ali Firas discovered that Rack did not correctly sanitize certain inputs.
An attacker could possibly use this issue to execute arbitrary code.
(CVE-2026-25500)
OSV
CVE-2026-22860: Rack is a modular Ruby web server interface
osv·2026-02-18·CVSS 7.5
CVE-2026-22860 [HIGH] CVE-2026-22860: Rack is a modular Ruby web server interface
Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5, `Rack::Directory`’s path check used a string prefix match on the expanded path. A request like `/../root_example/` can escape the configured root if the target path starts with the root string, allowing directory listing outside the intended root. Versions 2.2.22, 3.1.20, and 3.2.5 fix the issue.
OSV
Rack has a Directory Traversal via Rack:Directory
osv·2026-02-17
CVE-2026-22860 [HIGH] Rack has a Directory Traversal via Rack:Directory
Rack has a Directory Traversal via Rack:Directory
## Summary
`Rack::Directory`’s path check used a string prefix match on the expanded path. A request like `/../root_example/` can escape the configured root if the target path starts with the root string, allowing directory listing outside the intended root.
## Details
In `directory.rb`, `File.expand_path(File.join(root, path_info)).start_with?(root)` does not enforce a path boundary. If the server root is `/var/www/root`, a path like `/var/www/root_backup` passes the check because it shares the same prefix, so `Rack::Directory` will list that directory also.
## Impact
Information disclosure via directory listing outside the configured root when `Rack::Directory` is exposed to untrusted clients and a directory shares the root prefix (
GHSA
Rack has a Directory Traversal via Rack:Directory
ghsa·2026-02-17
CVE-2026-22860 [HIGH] CWE-22 Rack has a Directory Traversal via Rack:Directory
Rack has a Directory Traversal via Rack:Directory
## Summary
`Rack::Directory`’s path check used a string prefix match on the expanded path. A request like `/../root_example/` can escape the configured root if the target path starts with the root string, allowing directory listing outside the intended root.
## Details
In `directory.rb`, `File.expand_path(File.join(root, path_info)).start_with?(root)` does not enforce a path boundary. If the server root is `/var/www/root`, a path like `/var/www/root_backup` passes the check because it shares the same prefix, so `Rack::Directory` will list that directory also.
## Impact
Information disclosure via directory listing outside the configured root when `Rack::Directory` is exposed to untrusted clients and a directory shares the root prefix (
No detection rules found.
No public exploits indexed.
https://github.com/rack/rack/commit/75c5745c286637a8f049a33790c71237762069e7https://github.com/rack/rack/security/advisories/GHSA-mxw3-3hh2-x2mhhttps://access.redhat.com/security/cve/CVE-2026-22860https://bugzilla.redhat.com/show_bug.cgi?id=2440737https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-22860.json
2026-02-18
Published