CVE-2026-34830
published 2026-04-02CVE-2026-34830: Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Sendfile#map_accel_path interpolates the value of the…
PriorityP347high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
0.21%
11.1th percentile
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Sendfile#map_accel_path interpolates the value of the X-Accel-Mapping request header directly into a regular expression when rewriting file paths for X-Accel-Redirect. Because the header value is not escaped, an attacker who can supply X-Accel-Mapping to the backend can inject regex metacharacters and control the generated X-Accel-Redirect response header. In deployments using Rack::Sendfile with x-accel-redirect, this can allow an attacker to cause nginx to serve unintended files from configured internal locations. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | ruby-rack | < ruby-rack 3.2.6-2 (sid) | ruby-rack 3.2.6-2 (sid) |
| rack | rack | < 2.2.23 | 2.2.23 |
| rack | rack | — | — |
| rack | rack | — | — |
| rack | rack | >= 0 < 2.2.23 | 2.2.23 |
| rack | rack | >= 3.0.0 < 3.1.21 | 3.1.21 |
| rack | rack | >= 3.0.0.beta1 < 3.1.21 | 3.1.21 |
| rack | rack | >= 3.2.0 < 3.2.6 | 3.2.6 |
| rack | rack | >= 3.2.0 < 3.2.6 | 3.2.6 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
osv5.9MEDIUM
vendor_debian5.9MEDIUM
vendor_redhat5.9MEDIUM
vendor_ubuntu3.7LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CVE-2026-34830: (Rack is a modular Ruby web server interface
osv·2026-04-03·CVSS 5.9
CVE-2026-34830 [MEDIUM] CVE-2026-34830: (Rack is a modular Ruby web server interface
(Rack is a modular Ruby web server interface. Prior to versions 2.2.23, ...)
GHSA
Rack::Sendfile header-based X-Accel-Mapping regex injection enables unauthorized X-Accel-Redirect
ghsa·2026-04-02
CVE-2026-34830 [MEDIUM] CWE-625 Rack::Sendfile header-based X-Accel-Mapping regex injection enables unauthorized X-Accel-Redirect
Rack::Sendfile header-based X-Accel-Mapping regex injection enables unauthorized X-Accel-Redirect
## Summary
`Rack::Sendfile#map_accel_path` interpolates the value of the `X-Accel-Mapping` request header directly into a regular expression when rewriting file paths for `X-Accel-Redirect`. Because the header value is not escaped, an attacker who can supply `X-Accel-Mapping` to the backend can inject regex metacharacters and control the generated `X-Accel-Redirect` response header.
In deployments using `Rack::Sendfile` with `x-accel-redirect`, this can allow an attacker to cause nginx to serve unintended files from configured internal locations.
## Details
`Rack::Sendfile#map_accel_path` processes header-supplied mappings using logic equivalent to:
```ruby
mapping.split(',').map(&:strip
OSV
CVE-2026-34830: Rack is a modular Ruby web server interface
osv·2026-04-02·CVSS 5.9
CVE-2026-34830 [MEDIUM] CVE-2026-34830: Rack is a modular Ruby web server interface
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Sendfile#map_accel_path interpolates the value of the X-Accel-Mapping request header directly into a regular expression when rewriting file paths for X-Accel-Redirect. Because the header value is not escaped, an attacker who can supply X-Accel-Mapping to the backend can inject regex metacharacters and control the generated X-Accel-Redirect response header. In deployments using Rack::Sendfile with x-accel-redirect, this can allow an attacker to cause nginx to serve unintended files from configured internal locations. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.
OSV
Rack::Sendfile header-based X-Accel-Mapping regex injection enables unauthorized X-Accel-Redirect
osv·2026-04-02
CVE-2026-34830 [MEDIUM] Rack::Sendfile header-based X-Accel-Mapping regex injection enables unauthorized X-Accel-Redirect
Rack::Sendfile header-based X-Accel-Mapping regex injection enables unauthorized X-Accel-Redirect
## Summary
`Rack::Sendfile#map_accel_path` interpolates the value of the `X-Accel-Mapping` request header directly into a regular expression when rewriting file paths for `X-Accel-Redirect`. Because the header value is not escaped, an attacker who can supply `X-Accel-Mapping` to the backend can inject regex metacharacters and control the generated `X-Accel-Redirect` response header.
In deployments using `Rack::Sendfile` with `x-accel-redirect`, this can allow an attacker to cause nginx to serve unintended files from configured internal locations.
## Details
`Rack::Sendfile#map_accel_path` processes header-supplied mappings using logic equivalent to:
```ruby
mapping.split(',').map(&:strip
Ubuntu
Rack vulnerabilities
vendor_ubuntu·2026-04-17·CVSS 3.7
CVE-2026-26962 [LOW] Rack vulnerabilities
Title: Rack vulnerabilities
Summary: Several security issues were fixed in Rack.
Andrew Lacambra discovered that Rack did not properly parse certain regular
expressions. An attacker could possibly use this issue to bypass network
security filters. This issue only affected Ubuntu 20.04 LTS, Ubuntu 22.04
LTS, Ubuntu 24.04 LTS, and Ubuntu 25.10. (CVE-2026-26961)
William T. Nelson discovered that Rack did not handle multipart headers
correctly. An attacker could possibly use this issue to cause downstream
parsing issues or a denial of service. This issue only affected Ubuntu
25.10. (CVE-2026-26962)
It was discovered that Rack did not handle the Forwarded header correctly.
An attacker could possibly use this issue to manipulate header values. This
issue only affected Ubuntu 25.10. (CVE-2026
Red Hat
rack: Rack: Information disclosure via regular expression injection in X-Accel-Mapping header
vendor_redhat·2026-04-02·CVSS 5.9
CVE-2026-34830 [MEDIUM] CWE-625 rack: Rack: Information disclosure via regular expression injection in X-Accel-Mapping header
rack: Rack: Information disclosure via regular expression injection in X-Accel-Mapping header
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Sendfile#map_accel_path interpolates the value of the X-Accel-Mapping request header directly into a regular expression when rewriting file paths for X-Accel-Redirect. Because the header value is not escaped, an attacker who can supply X-Accel-Mapping to the backend can inject regex metacharacters and control the generated X-Accel-Redirect response header. In deployments using Rack::Sendfile with x-accel-redirect, this can allow an attacker to cause nginx to serve unintended files from configured internal locations. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.
A flaw was found in
Debian
CVE-2026-34830: ruby-rack - Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, a...
vendor_debian·2026·CVSS 5.9
CVE-2026-34830 [MEDIUM] CVE-2026-34830: ruby-rack - Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, a...
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Sendfile#map_accel_path interpolates the value of the X-Accel-Mapping request header directly into a regular expression when rewriting file paths for X-Accel-Redirect. Because the header value is not escaped, an attacker who can supply X-Accel-Mapping to the backend can inject regex metacharacters and control the generated X-Accel-Redirect response header. In deployments using Rack::Sendfile with x-accel-redirect, this can allow an attacker to cause nginx to serve unintended files from configured internal locations. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.
Scope: local
bookworm: open
bullseye: open
forky: open
sid: resolved (fixed in 3.2.6-2)
trixie: open
No detection rules found.
No public exploits indexed.
2026-04-02
Published