CVE-2026-34786 — Incorrect Behavior Order: Validate Before Canonicalize in Rack

CWE-180 — Incorrect Behavior Order: Validate Before Canonicalize CWE-179 — Incorrect Behavior Order: Early Validation10 documents8 sources

Severity

5.3MEDIUMNVD

EPSS

0.0%

top 87.98%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Rack

Timeline

PublishedApr 2

Latest updateApr 17

Description

Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Static#applicable_rules evaluates several header_rules types against the raw URL-encoded PATH_INFO, while the underlying file-serving path is decoded before the file is served. As a result, a request for a URL-encoded variant of a static path can serve the same file without the headers that header_rules were intended to apply. In deployments that rely on Rack::Static to attach security-relevant respon…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

▶CVEListV5rack/rack< 2.2.23+2

▶RubyGemsrack/rack3.0.0.beta1 — 3.1.21+2

🔴Vulnerability Details

OSV

CVE-2026-34786: (Rack is a modular Ruby web server interface↗2026-04-03

▶

OSV

Rack:: Static header_rules bypass via URL-encoded paths↗2026-04-02

▶

OSV

CVE-2026-34786: Rack is a modular Ruby web server interface↗2026-04-02

▶

GHSA

Rack:: Static header_rules bypass via URL-encoded paths↗2026-04-02

▶

CVEList

Rack: Rack::Static header_rules bypass via URL-encoded paths↗2026-04-02

▶

📋Vendor Advisories

Ubuntu

Rack vulnerabilities↗2026-04-17

▶

Red Hat

rack: Rack: Security header bypass via URL-encoded static path requests↗2026-04-02

▶

Debian

CVE-2026-34786: ruby-rack - Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, a...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-34786 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶