Description
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Multipart::Parser extracts the boundary parameter from multipart/form-data using a greedy regular expression. When a Content-Type header contains multiple boundary parameters, Rack selects the last one rather than the first. In deployments where an upstream proxy, WAF, or intermediary interprets the first boundary parameter, this mismatch can allow an attacker to smuggle multipart content past upstream inspection and have Rack parse a different body structure than the intermediary validated. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.
Published: 2026-04-02
Score: 3.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: WAF bypass
Action: Apply patch
AI Analysis

Impact

Rack, the Ruby web server interface, uses a greedy regular expression to extract the boundary parameter from multipart/form-data. When a Content-Type header contains multiple boundary parameters, Rack incorrectly selects the last one instead of the first. This mismatch allows an attacker to embed multipart content that passes through upstream proxies, WAFs, or other intermediaries while Rack interprets a different body structure. The result is a potential bypass of upstream inspection, enabling malicious data to reach the application with little to no filtering.

Affected Systems

The vulnerability affects the Rack web server framework. Versions prior to 2.2.23, 3.1.21, and 3.2.6 are impacted. Updating to the specified patched releases resolves the issue.

Risk and Exploitability

The CVSS score of 3.7 indicates a low severity but the flaw can be exploited remotely via crafted HTTP requests that deliver multiple boundary parameters. No exploit probability score is available, and the vulnerability is not listed in the CISA KEV catalog. Attackers would need to send a specially crafted request that passes through an upstream inspection system that follows the first boundary parameter, while Rack uses the last parameter, allowing content to bypass the intermediary checks.

Generated by OpenCVE AI on April 2, 2026 at 21:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Rack to version 2.2.23 or newer, 3.1.21 or newer, or 3.2.6 or newer, depending on your environment.

Generated by OpenCVE AI on April 2, 2026 at 21:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-vgpv-f759-9wx3 Rack's greedy multipart boundary parsing can cause parser differentials and WAF bypass.
History

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Rack
Rack rack
Vendors & Products Rack
Rack rack

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Multipart::Parser extracts the boundary parameter from multipart/form-data using a greedy regular expression. When a Content-Type header contains multiple boundary parameters, Rack selects the last one rather than the first. In deployments where an upstream proxy, WAF, or intermediary interprets the first boundary parameter, this mismatch can allow an attacker to smuggle multipart content past upstream inspection and have Rack parse a different body structure than the intermediary validated. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.
Title Rack: Multipart Boundary Parsing Ambiguity allowing WAF Bypass
Weaknesses CWE-436
References
Metrics cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Rack Rack
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-03T17:58:12.149Z

Reserved: 2026-02-16T22:20:28.611Z

Link: CVE-2026-26961

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-04-02T17:16:21.973

Modified: 2026-04-03T16:10:23.730

Link: CVE-2026-26961

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:18:30Z

Weaknesses