Description
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Static determines whether a request should be served as a static file using a simple string prefix check. When configured with URL prefixes such as "/css", it matches any request path that begins with that string, including unrelated paths such as "/css-config.env" or "/css-backup.sql". As a result, files under the static root whose names merely share the configured prefix may be served unintentionally, leading to information disclosure. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.
Published: 2026-04-02
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Immediate Patch
AI Analysis

Impact

Rack::Static determines whether a URL should be served by checking only the string prefix of the request path against a configured prefix. Because it does not confirm that the matched path refers to an existing file, requests such as "/css-config.env" or "/css-backup.sql" can cause Rack to expose any file whose name starts with the prefix, allowing an attacker to read sensitive data or configuration files.

Affected Systems

The vulnerability affects the Rack framework, specifically the rack:rack library. Versions prior to 2.2.23, 3.1.21, and 3.2.6 are impacted; updating to these patched releases removes the insecure prefix matching behavior.

Risk and Exploitability

The CVSS score of 7.5 signals a high severity, yet the EPSS score below 1% indicates that exploitation is unlikely at present, and this vulnerability is not listed in CISA's KEV catalog. The likely attack vector is a crafted HTTP GET request that uses a known static prefix but points to a sensitive file; based on the description, it is inferred that such a request would cause Rack to serve the file and disclose its contents. No special privileges are required for the attacker to perform this action.

Generated by OpenCVE AI on April 4, 2026 at 03:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade rack to version 2.2.23, 3.1.21, or 3.2.6 or newer to eliminate the insecure prefix matching logic.
  • Reconfigure static file prefixes to match only intended paths and avoid naming collisions with important files.
  • Verify that the updated application does not serve unintended files by testing common sensitive paths after the patch.

Generated by OpenCVE AI on April 4, 2026 at 03:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-h2jq-g4cq-5ppq Rack::Static prefix matching can expose unintended files under the static root
Ubuntu USN Ubuntu USN USN-8182-1 Rack vulnerabilities
History

Thu, 16 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:rack:rack:*:*:*:*:*:ruby:*:*

Sat, 04 Apr 2026 01:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-552
References
Metrics threat_severity

None

 threat_severity

Important

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Rack
Rack rack
Vendors & Products Rack
Rack rack

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Static determines whether a request should be served as a static file using a simple string prefix check. When configured with URL prefixes such as "/css", it matches any request path that begins with that string, including unrelated paths such as "/css-config.env" or "/css-backup.sql". As a result, files under the static root whose names merely share the configured prefix may be served unintentionally, leading to information disclosure. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.
Title Rack: Local file inclusion in `Rack::Static` via URL Prefix Matching
Weaknesses CWE-187
CWE-200
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Subscriptions

Rack Rack
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-02T18:59:08.828Z

Reserved: 2026-03-30T19:54:55.556Z

Link: CVE-2026-34785

cve-icon Vulnrichment

Updated: 2026-04-02T18:59:03.674Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-02T17:16:24.873

Modified: 2026-04-16T17:19:35.290

Link: CVE-2026-34785

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-02T16:44:17Z

Links: CVE-2026-34785 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T07:55:59Z

Weaknesses