Description
Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 to before 3.1.21 and 3.2.0 to before 3.2.6, Rack::Utils.forwarded_values parses the RFC 7239 Forwarded header by splitting on semicolons before handling quoted-string values. Because quoted values may legally contain semicolons, a header can be interpreted by Rack as multiple Forwarded directives rather than as a single quoted for value. In deployments where an upstream proxy, WAF, or intermediary validates or preserves quoted Forwarded values differently, this discrepancy can allow an attacker to smuggle host, proto, for, or by parameters through a single header value. This issue has been patched in versions 3.1.21 and 3.2.6.
Published: 2026-04-02
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Host and Scheme Spoofing
Action: Immediate Patch
AI Analysis

Impact

Rack’s request parsing incorrectly handles RFC 7239 Forwarded headers by splitting on semicolons before processing quoted‑string values. This allows a single header to be interpreted as multiple Forwarded directives. A malicious value can therefore inject host, proto, for, or by parameters, causing the application to believe it is communicating with a different host or scheme.

Affected Systems

The vulnerability affects Rack version 3.0.0.beta1 through 3.1.20 and 3.2.0 through 3.2.5. All later versions, including 3.1.21 and 3.2.6 and beyond, contain the fix. The issue applies to any Ruby web application that uses the Rack interface for request processing.

Risk and Exploitability

The CVSS score of 4.8 indicates moderate severity. The EPSS score is below 1 % and the vulnerability is not listed in the CISA KEV catalog, suggesting that exploitation is currently unlikely. Attackers must be able to control or tamper with the Forwarded header sent by an upstream proxy, WAF, or other intermediary. When this condition is met, an attacker can spoof the host or scheme, which may affect downstream routing or logging behaviors, but no further consequences are documented in the advisory.

Generated by OpenCVE AI on April 4, 2026 at 04:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Rack to version 3.1.21 or later, or 3.2.6 or later.
  • Verify that upstream proxies, firewalls, or WAFs properly sanitize Forwarded headers before forwarding them to the application.
  • Monitor application logs and request headers for unexpected Host or scheme values to detect potential spoofing attempts.

Generated by OpenCVE AI on April 4, 2026 at 04:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-qfgr-crr9-7r49 Rack: Forwarded Header semicolon injection enables Host and Scheme spoofing
Ubuntu USN Ubuntu USN USN-8182-1 Rack vulnerabilities
History

Tue, 21 Apr 2026 01:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:rack:rack:*:*:*:*:*:ruby:*:*

Sat, 04 Apr 2026 01:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-115
References
Metrics threat_severity

None

 threat_severity

Moderate

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Rack
Rack rack
Vendors & Products Rack
Rack rack

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 to before 3.1.21 and 3.2.0 to before 3.2.6, Rack::Utils.forwarded_values parses the RFC 7239 Forwarded header by splitting on semicolons before handling quoted-string values. Because quoted values may legally contain semicolons, a header can be interpreted by Rack as multiple Forwarded directives rather than as a single quoted for value. In deployments where an upstream proxy, WAF, or intermediary validates or preserves quoted Forwarded values differently, this discrepancy can allow an attacker to smuggle host, proto, for, or by parameters through a single header value. This issue has been patched in versions 3.1.21 and 3.2.6.
Title Rack: Forwarded Header semicolon injection enables Host and Scheme spoofing
Weaknesses CWE-436
References
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Subscriptions

Rack Rack
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-02T17:42:42.305Z

Reserved: 2026-03-13T18:53:03.533Z

Link: CVE-2026-32762

cve-icon Vulnrichment

Updated: 2026-04-02T17:42:37.595Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-02T18:16:27.730

Modified: 2026-04-21T00:57:00.953

Link: CVE-2026-32762

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-02T17:06:50Z

Links: CVE-2026-32762 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T07:55:54Z

Weaknesses