CVE-2026-34763 - Vulnerability Details

Description

Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Directory interpolates the configured root path directly into a regular expression when deriving the displayed directory path. If root contains regex metacharacters such as +, *, or ., the prefix stripping can fail and the generated directory listing may expose the full filesystem path in the HTML output. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.

Published: 2026-04-02

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Rack::Directory builds a regular expression by interpolating the configured root path. When that path contains regex metacharacters such as +, *, or ., the regex is malformed and prefix stripping fails. The generated directory listing may then expose the full filesystem path in the HTML output, and the malformed regex can trigger a denial‑of‑service condition by causing unexpected errors. This vulnerability is a form of improper input processing, reflected in the listed weaknesses.

Affected Systems

The vulnerability affects all releases of Rack prior to 2.2.23, 3.1.21, and 3.2.6 when the Rack::Directory middleware is used to browse directories. Applications that rely on earlier versions of Rack and configure a root path containing regex metacharacters are susceptible.

Risk and Exploitability

The CVSS score of 5.3 represents moderate severity, while the EPSS score below 1% suggests a low, though present, likelihood of exploitation. The issue is not documented in the KER catalog. An attacker can trigger the flaw through an unauthenticated HTTP request that causes Rack::Directory to process a root path with regex metacharacters, leading to information disclosure and potential service interruption. Evidence of a direct exploitation pathway is implied by the nature of the vulnerability, but no public exploit has been identified.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

rack

affected

Version	Status	Constraints
`< 2.2.23`	affected	—
`>= 3.0.0.beta1, < 3.1.21`	affected	—
`>= 3.2.0, < 3.2.6`	affected	—

No data.

Vendor Product Confidence Versions

Rack

100%

Version	Status	Scheme	Platform
`[0,2.2.23)`	affected	semver	—
`[3.0.0.beta1,3.1.21)`	affected	semver	—
`[3.2.0,3.2.6)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Rack to version 2.2.23 or newer (this includes 3.1.21 and 3.2.6) to apply the official patch.
If an upgrade is not immediately feasible, avoid using Rack::Directory with root paths that contain regex metacharacters until the patch can be applied.

Generated by OpenCVE AI on April 4, 2026 at 04:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-7mqq-6cf9-v2qp	Rack has a root directory disclosure via unescaped regex interpolation in Rack::Directory

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00028.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/rack/rack/security/advisories/GHSA-7mqq-6cf9-v2qp
https://nvd.nist.gov/vuln/detail/CVE-2026-34763
https://www.cve.org/CVERecord?id=CVE-2026-34763

History

Sat, 04 Apr 2026 01:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-41
References		https://nvd.nist.gov/vuln/detail/CVE-2026-34763 https://www.cve.org/CVERecord?id=CVE-2026-34763
Metrics	threat_severity `None`	threat_severity `Moderate`

Fri, 03 Apr 2026 10:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Rack Rack rack
Vendors & Products		Rack Rack rack

Thu, 02 Apr 2026 20:30:00 +0000

Type	Values Removed	Values Added
Description		Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Directory interpolates the configured root path directly into a regular expression when deriving the displayed directory path. If root contains regex metacharacters such as +, *, or ., the prefix stripping can fail and the generated directory listing may expose the full filesystem path in the HTML output. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.
Title		Rack: Rack::Directory info disclosure and DoS via unescaped regex interpolation
Weaknesses		CWE-625
References		https://github.com/rack/rack/security/advisories/GHSA-7mqq-6cf9-v2qp
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Subscriptions

Rack Rack

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-04-02T16:43:42.189Z

Updated: 2026-04-02T17:41:12.293Z

Reserved: 2026-03-30T19:17:10.225Z

Link: CVE-2026-34763

Vulnrichment

Updated: 2026-04-02T17:41:07.802Z

NVD

Status : Undergoing Analysis

Published: 2026-04-02T17:16:24.723

Modified: 2026-04-03T16:10:23.730

Link: CVE-2026-34763

Redhat

Severity : Moderate

Publid Date: 2026-04-02T16:43:42Z

Links: CVE-2026-34763 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-07T07:56:00Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object