CVE-2026-34785
published 2026-04-02CVE-2026-34785: Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Static determines whether a request should be served as a…
PriorityP347high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
0.39%
30.6th percentile
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Static determines whether a request should be served as a static file using a simple string prefix check. When configured with URL prefixes such as "/css", it matches any request path that begins with that string, including unrelated paths such as "/css-config.env" or "/css-backup.sql". As a result, files under the static root whose names merely share the configured prefix may be served unintentionally, leading to information disclosure. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | ruby-rack | < ruby-rack 3.2.6-2 (sid) | ruby-rack 3.2.6-2 (sid) |
| rack | rack | < 2.2.23 | 2.2.23 |
| rack | rack | — | — |
| rack | rack | — | — |
| rack | rack | >= 0 < 2.2.23 | 2.2.23 |
| rack | rack | >= 3.0.0 < 3.1.21 | 3.1.21 |
| rack | rack | >= 3.0.0.beta1 < 3.1.21 | 3.1.21 |
| rack | rack | >= 3.2.0 < 3.2.6 | 3.2.6 |
| rack | rack | >= 3.2.0 < 3.2.6 | 3.2.6 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
osv7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
vendor_ubuntu3.7LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CVE-2026-34785: (Rack is a modular Ruby web server interface
osv·2026-04-03·CVSS 7.5
CVE-2026-34785 [HIGH] CVE-2026-34785: (Rack is a modular Ruby web server interface
(Rack is a modular Ruby web server interface. Prior to versions 2.2.23, ...)
GHSA
Rack::Static prefix matching can expose unintended files under the static root
ghsa·2026-04-02
CVE-2026-34785 [HIGH] CWE-187 Rack::Static prefix matching can expose unintended files under the static root
Rack::Static prefix matching can expose unintended files under the static root
## Summary
`Rack::Static` determines whether a request should be served as a static file using a simple string prefix check. When configured with URL prefixes such as `"/css"`, it matches any request path that begins with that string, including unrelated paths such as `"/css-config.env"` or `"/css-backup.sql"`.
As a result, files under the static root whose names merely share the configured prefix may be served unintentionally, leading to information disclosure.
## Details
`Rack::Static#route_file` performs static-route matching using logic equivalent to:
```ruby
@urls.any? { |url| path.index(url) == 0 }
```
This checks only whether the request path starts with the configured prefix string. It does not re
OSV
Rack::Static prefix matching can expose unintended files under the static root
osv·2026-04-02
CVE-2026-34785 [HIGH] Rack::Static prefix matching can expose unintended files under the static root
Rack::Static prefix matching can expose unintended files under the static root
## Summary
`Rack::Static` determines whether a request should be served as a static file using a simple string prefix check. When configured with URL prefixes such as `"/css"`, it matches any request path that begins with that string, including unrelated paths such as `"/css-config.env"` or `"/css-backup.sql"`.
As a result, files under the static root whose names merely share the configured prefix may be served unintentionally, leading to information disclosure.
## Details
`Rack::Static#route_file` performs static-route matching using logic equivalent to:
```ruby
@urls.any? { |url| path.index(url) == 0 }
```
This checks only whether the request path starts with the configured prefix string. It does not re
OSV
CVE-2026-34785: Rack is a modular Ruby web server interface
osv·2026-04-02·CVSS 7.5
CVE-2026-34785 [HIGH] CVE-2026-34785: Rack is a modular Ruby web server interface
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Static determines whether a request should be served as a static file using a simple string prefix check. When configured with URL prefixes such as "/css", it matches any request path that begins with that string, including unrelated paths such as "/css-config.env" or "/css-backup.sql". As a result, files under the static root whose names merely share the configured prefix may be served unintentionally, leading to information disclosure. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.
Ubuntu
Rack vulnerabilities
vendor_ubuntu·2026-04-17·CVSS 3.7
CVE-2026-26962 [LOW] Rack vulnerabilities
Title: Rack vulnerabilities
Summary: Several security issues were fixed in Rack.
Andrew Lacambra discovered that Rack did not properly parse certain regular
expressions. An attacker could possibly use this issue to bypass network
security filters. This issue only affected Ubuntu 20.04 LTS, Ubuntu 22.04
LTS, Ubuntu 24.04 LTS, and Ubuntu 25.10. (CVE-2026-26961)
William T. Nelson discovered that Rack did not handle multipart headers
correctly. An attacker could possibly use this issue to cause downstream
parsing issues or a denial of service. This issue only affected Ubuntu
25.10. (CVE-2026-26962)
It was discovered that Rack did not handle the Forwarded header correctly.
An attacker could possibly use this issue to manipulate header values. This
issue only affected Ubuntu 25.10. (CVE-2026
Red Hat
github.com/rack/rack: Rack: Information disclosure via incorrect static file serving prefix check
vendor_redhat·2026-04-02·CVSS 7.5
CVE-2026-34785 [HIGH] CWE-552 github.com/rack/rack: Rack: Information disclosure via incorrect static file serving prefix check
github.com/rack/rack: Rack: Information disclosure via incorrect static file serving prefix check
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Static determines whether a request should be served as a static file using a simple string prefix check. When configured with URL prefixes such as "/css", it matches any request path that begins with that string, including unrelated paths such as "/css-config.env" or "/css-backup.sql". As a result, files under the static root whose names merely share the configured prefix may be served unintentionally, leading to information disclosure. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.
A flaw was found in Rack. The `Rack::Static` component, which serves static files for web appli
Debian
CVE-2026-34785: ruby-rack - Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, a...
vendor_debian·2026·CVSS 7.5
CVE-2026-34785 [HIGH] CVE-2026-34785: ruby-rack - Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, a...
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Static determines whether a request should be served as a static file using a simple string prefix check. When configured with URL prefixes such as "/css", it matches any request path that begins with that string, including unrelated paths such as "/css-config.env" or "/css-backup.sql". As a result, files under the static root whose names merely share the configured prefix may be served unintentionally, leading to information disclosure. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.
Scope: local
bookworm: open
bullseye: open
forky: open
sid: resolved (fixed in 3.2.6-2)
trixie: open
No detection rules found.
No public exploits indexed.
2026-04-02
Published