CVE-2026-26961Interpretation Conflict in Rack

CWE-436Interpretation ConflictCWE-444HTTP Request Smuggling10 documents8 sources
Severity
3.7LOWNVD
EPSS
0.0%
top 87.98%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Rack
Timeline
PublishedApr 2
Latest updateApr 17

Description

Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Multipart::Parser extracts the boundary parameter from multipart/form-data using a greedy regular expression. When a Content-Type header contains multiple boundary parameters, Rack selects the last one rather than the first. In deployments where an upstream proxy, WAF, or intermediary interprets the first boundary parameter, this mismatch can allow an attacker to smuggle multipart content past upstrea

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 2.2 | Impact: 1.4

Affected Packages2 packages

CVEListV5rack/rack< 2.2.23+2
RubyGemsrack/rack3.0.0.beta13.1.21+2

🔴Vulnerability Details

5
OSV
CVE-2026-26961: (Rack is a modular Ruby web server interface2026-04-03
GHSA
Rack's greedy multipart boundary parsing can cause parser differentials and WAF bypass.2026-04-02
OSV
CVE-2026-26961: Rack is a modular Ruby web server interface2026-04-02
CVEList
Rack: Multipart Boundary Parsing Ambiguity allowing WAF Bypass2026-04-02
OSV
Rack's greedy multipart boundary parsing can cause parser differentials and WAF bypass.2026-04-02

📋Vendor Advisories

3
Ubuntu
Rack vulnerabilities2026-04-17
Red Hat
github.com/rack/rack: Rack: Content smuggling via multipart boundary parsing mismatch2026-04-02
Debian
CVE-2026-26961: ruby-rack - Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, a...2026

🕵️Threat Intelligence

1
Wiz
CVE-2026-26961 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-26961 — Interpretation Conflict in Rack | cvebase