CVE-2026-34785Partial String Comparison in Rack

CWE-187Partial String ComparisonCWE-200Sensitive Information ExposureCWE-552Files or Directories Accessible to External Parties10 documents8 sources
Severity
7.5HIGHNVD
EPSS
0.0%
top 87.08%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Rack
Timeline
PublishedApr 2
Latest updateApr 17

Description

Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Static determines whether a request should be served as a static file using a simple string prefix check. When configured with URL prefixes such as "/css", it matches any request path that begins with that string, including unrelated paths such as "/css-config.env" or "/css-backup.sql". As a result, files under the static root whose names merely share the configured prefix may be served unintentionall

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

CVEListV5rack/rack< 2.2.23+2
RubyGemsrack/rack3.0.0.beta13.1.21+2

🔴Vulnerability Details

5
OSV
CVE-2026-34785: (Rack is a modular Ruby web server interface2026-04-03
GHSA
Rack::Static prefix matching can expose unintended files under the static root2026-04-02
OSV
Rack::Static prefix matching can expose unintended files under the static root2026-04-02
CVEList
Rack: Local file inclusion in `Rack::Static` via URL Prefix Matching2026-04-02
OSV
CVE-2026-34785: Rack is a modular Ruby web server interface2026-04-02

📋Vendor Advisories

3
Ubuntu
Rack vulnerabilities2026-04-17
Red Hat
github.com/rack/rack: Rack: Information disclosure via incorrect static file serving prefix check2026-04-02
Debian
CVE-2026-34785: ruby-rack - Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, a...2026

🕵️Threat Intelligence

1
Wiz
CVE-2026-34785 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-34785 — Partial String Comparison in Rack | cvebase