CVE-2026-22860Path Traversal in Rack

CWE-22Path TraversalCWE-548Exposure of Information Through Directory Listing10 documents8 sources
Severity
7.5HIGHNVD
EPSS
0.1%
top 72.29%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Rack
Timeline
PublishedFeb 18
Latest updateFeb 26

Description

Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5, `Rack::Directory`’s path check used a string prefix match on the expanded path. A request like `/../root_example/` can escape the configured root if the target path starts with the root string, allowing directory listing outside the intended root. Versions 2.2.22, 3.1.20, and 3.2.5 fix the issue.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

CVEListV5rack/rack< 2.2.22+2
NVDrack/rack3.0.03.1.20+2
RubyGemsrack/rack3.0.0.beta13.1.20+2

Patches

Patch: github.com

🔴Vulnerability Details

5
OSV
ruby-rack vulnerabilities2026-02-26
CVEList
Rack has a Directory Traversal via Rack:Directory2026-02-18
OSV
CVE-2026-22860: Rack is a modular Ruby web server interface2026-02-18
OSV
Rack has a Directory Traversal via Rack:Directory2026-02-17
GHSA
Rack has a Directory Traversal via Rack:Directory2026-02-17

📋Vendor Advisories

3
Ubuntu
Rack vulnerabilities2026-02-26
Red Hat
rubygem-rack: Rack Directory Traversal via Rack:Directory2026-02-18
Debian
CVE-2026-22860: ruby-rack - Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, a...2026

🕵️Threat Intelligence

1
Wiz
CVE-2026-22860 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-22860 — Path Traversal in Rack | cvebase