CVE-2026-34830Permissive Regular Expression in Rack

CWE-625Permissive Regular Expression10 documents8 sources
Severity
5.9MEDIUMNVD
EPSS
0.0%
top 87.08%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Rack
Timeline
PublishedApr 2
Latest updateApr 17

Description

Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Sendfile#map_accel_path interpolates the value of the X-Accel-Mapping request header directly into a regular expression when rewriting file paths for X-Accel-Redirect. Because the header value is not escaped, an attacker who can supply X-Accel-Mapping to the backend can inject regex metacharacters and control the generated X-Accel-Redirect response header. In deployments using Rack::Sendfile with x-ac

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages2 packages

CVEListV5rack/rack< 2.2.23+2
RubyGemsrack/rack3.0.0.beta13.1.21+2

🔴Vulnerability Details

5
OSV
CVE-2026-34830: (Rack is a modular Ruby web server interface2026-04-03
GHSA
Rack::Sendfile header-based X-Accel-Mapping regex injection enables unauthorized X-Accel-Redirect2026-04-02
OSV
CVE-2026-34830: Rack is a modular Ruby web server interface2026-04-02
CVEList
Rack: Rack::Sendfile regex injection via HTTP_X_ACCEL_MAPPING header allows arbitrary file reads through nginx2026-04-02
OSV
Rack::Sendfile header-based X-Accel-Mapping regex injection enables unauthorized X-Accel-Redirect2026-04-02

📋Vendor Advisories

3
Ubuntu
Rack vulnerabilities2026-04-17
Red Hat
rack: Rack: Information disclosure via regular expression injection in X-Accel-Mapping header2026-04-02
Debian
CVE-2026-34830: ruby-rack - Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, a...2026

🕵️Threat Intelligence

1
Wiz
CVE-2026-34830 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-34830 — Permissive Regular Expression in Rack | cvebase