Description
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Multipart::Parser extracts the boundary parameter from multipart/form-data using a greedy regular expression. When a Content-Type header contains multiple boundary parameters, Rack selects the last one rather than the first. In deployments where an upstream proxy, WAF, or intermediary interprets the first boundary parameter, this mismatch can allow an attacker to smuggle multipart content past upstream inspection and have Rack parse a different body structure than the intermediary validated. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.
Published: 2026-04-02
Score: 3.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: WAF bypass via multipart boundary mismatch
Action: Patch Immediately
AI Analysis

Impact

Rack’s multipart parser uses a greedy regular expression that extracts the boundary parameter from a Content‑Type header by selecting the last value rather than the first. This parsing flaw constitutes a boundary ambiguity weakness (CWE‑444) and an incorrect data extraction weakness (CWE‑436). When a request contains multiple boundary parameters, upstream proxies, Web Application Firewalls, or other intermediaries that interpret the first parameter may apply filtering logic based on that boundary, while Rack itself parses the request using the second parameter. The result is that malicious multipart payloads can slip past upstream inspection and be processed by the application, potentially exposing the system to data injection or other payload-based attacks.

Affected Systems

The issue affects the Rack Ruby web server interface. All versions earlier than 2.2.23, 3.1.21, and 3.2.6 are vulnerable. Deployments running these older releases are at risk until they are updated to the patched versions.

Risk and Exploitability

The CVSS base score of 3.7 indicates a low severity vulnerability, and the EPSS score of less than 1% suggests a low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an attacker to send a specially crafted multipart/form‑data HTTP request that contains two boundary parameters; the WAF or proxy will use the first boundary while Rack will use the second, enabling the attacker to smuggle unwanted content past upstream controls.

Generated by OpenCVE AI on April 4, 2026 at 04:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Rack to at least version 2.2.23, 3.1.21, or 3.2.6 to apply the parser fix.

Generated by OpenCVE AI on April 4, 2026 at 04:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-vgpv-f759-9wx3 Rack's greedy multipart boundary parsing can cause parser differentials and WAF bypass.
Ubuntu USN Ubuntu USN USN-8182-1 Rack vulnerabilities
History

Thu, 16 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:rack:rack:*:*:*:*:*:ruby:*:*

Sat, 04 Apr 2026 01:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-444
References
Metrics threat_severity

None

 threat_severity

Low

Fri, 03 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Rack
Rack rack
Vendors & Products Rack
Rack rack

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Multipart::Parser extracts the boundary parameter from multipart/form-data using a greedy regular expression. When a Content-Type header contains multiple boundary parameters, Rack selects the last one rather than the first. In deployments where an upstream proxy, WAF, or intermediary interprets the first boundary parameter, this mismatch can allow an attacker to smuggle multipart content past upstream inspection and have Rack parse a different body structure than the intermediary validated. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.
Title Rack: Multipart Boundary Parsing Ambiguity allowing WAF Bypass
Weaknesses CWE-436
References
Metrics cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Rack Rack
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-03T17:58:12.149Z

Reserved: 2026-02-16T22:20:28.611Z

Link: CVE-2026-26961

cve-icon Vulnrichment

Updated: 2026-04-03T17:57:59.363Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-02T17:16:21.973

Modified: 2026-04-16T17:33:26.013

Link: CVE-2026-26961

cve-icon Redhat

Severity : Low

Publid Date: 2026-04-02T16:42:16Z

Links: CVE-2026-26961 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T07:56:01Z

Weaknesses