CVE-2026-32762 — Interpretation Conflict in Rack

CWE-436 — Interpretation Conflict CWE-115 — Misinterpretation of Input72 documents8 sources

Severity

4.8MEDIUMNVD

EPSS

0.0%

top 89.41%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Rack

Timeline

PublishedApr 2

Latest updateApr 17

Description

Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 to before 3.1.21 and 3.2.0 to before 3.2.6, Rack::Utils.forwarded_values parses the RFC 7239 Forwarded header by splitting on semicolons before handling quoted-string values. Because quoted values may legally contain semicolons, a header can be interpreted by Rack as multiple Forwarded directives rather than as a single quoted for value. In deployments where an upstream proxy, WAF, or intermediary validates or preserves quote…

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:NExploitability: 2.2 | Impact: 2.5

Affected Packages2 packages

▶RubyGemsrack/rack3.0.0.beta1 — 3.1.21+1

▶CVEListV5rack/rack>= 3.0.0.beta1, < 3.1.21, >= 3.2.0, < 3.2.6+1

🔴Vulnerability Details

OSV

CVE-2026-32762: (Rack is a modular Ruby web server interface↗2026-04-03

▶

OSV

Rack: Forwarded Header semicolon injection enables Host and Scheme spoofing↗2026-04-02

▶

GHSA

Rack: Forwarded Header semicolon injection enables Host and Scheme spoofing↗2026-04-02

▶

CVEList

Rack: Forwarded Header semicolon injection enables Host and Scheme spoofing↗2026-04-02

▶

OSV

CVE-2026-32762: Rack is a modular Ruby web server interface↗2026-04-02

▶

📋Vendor Advisories

Ubuntu

Rack vulnerabilities↗2026-04-17

▶

Red Hat

rack: Rack: Parameter smuggling via improper Forwarded header parsing↗2026-04-02

▶

Debian

CVE-2026-32762: ruby-rack - Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 to before...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-33635 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

Wiz

CVE-2026-25765 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

Wiz

CVE-2026-33210 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

Wiz

CVE-2026-34763 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

Wiz

CVE-2026-33168 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶