Description
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Static#applicable_rules evaluates several header_rules types against the raw URL-encoded PATH_INFO, while the underlying file-serving path is decoded before the file is served. As a result, a request for a URL-encoded variant of a static path can serve the same file without the headers that header_rules were intended to apply. In deployments that rely on Rack::Static to attach security-relevant response headers to static content, this can allow an attacker to bypass those headers by requesting an encoded form of the path. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.
Published: 2026-04-02
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Security header bypass
Action: Immediate patch
AI Analysis

Impact

Rack::Static evaluated header_rules against the raw URL‑encoded PATH_INFO while serving the file from the decoded path. This mismatch allows a request for an encoded variant of a static resource to bypass the security‑relevant headers that the header_rules are meant to apply, potentially exposing the server to attacks that rely on those headers such as click‑jacking or MIME‑type sniffing. The flaw is a form of code path error that could undermine the intended integrity controls on static content.

Affected Systems

The vulnerability affects installations of Rack using any version earlier than 2.2.23, 3.1.21, or 3.2.6. Deployments that rely on Rack::Static to add security headers to static content are impacted.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, and the EPSS score of less than 1% suggests a low likelihood of widespread exploitation. The vulnerability is not listed in CISA’s KEV catalog. An attacker can exploit it by crafting an external HTTP request with an URL‑encoded path to a static file; the request is processed against the encoded path for header matching but the decoded path is served without the intended headers. No payload is required beyond normal URL encoding.

Generated by OpenCVE AI on April 4, 2026 at 03:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Rack to version 2.2.23, 3.1.21, or 3.2.6 or later
  • If upgrading is not immediately possible, remove or reconfigure Rack::Static header_rules for static resources or replace with a dedicated static file handler that sets appropriate headers
  • Verify that all static content served includes necessary security headers such as X-Content-Type-Options and X-Frame-Options

Generated by OpenCVE AI on April 4, 2026 at 03:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-q4qf-9j86-f5mh Rack:: Static header_rules bypass via URL-encoded paths
Ubuntu USN Ubuntu USN USN-8182-1 Rack vulnerabilities
History

Thu, 16 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:rack:rack:*:*:*:*:*:ruby:*:*

Sat, 04 Apr 2026 01:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-179
References
Metrics threat_severity

None

 threat_severity

Moderate

Fri, 03 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Rack
Rack rack
Vendors & Products Rack
Rack rack

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Static#applicable_rules evaluates several header_rules types against the raw URL-encoded PATH_INFO, while the underlying file-serving path is decoded before the file is served. As a result, a request for a URL-encoded variant of a static path can serve the same file without the headers that header_rules were intended to apply. In deployments that rely on Rack::Static to attach security-relevant response headers to static content, this can allow an attacker to bypass those headers by requesting an encoded form of the path. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.
Title Rack: Rack::Static header_rules bypass via URL-encoded paths
Weaknesses CWE-180
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Rack Rack
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-03T17:38:11.143Z

Reserved: 2026-03-30T19:54:55.556Z

Link: CVE-2026-34786

cve-icon Vulnrichment

Updated: 2026-04-03T17:38:05.787Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-02T17:16:25.030

Modified: 2026-04-16T17:19:00.317

Link: CVE-2026-34786

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-02T16:44:59Z

Links: CVE-2026-34786 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T07:55:57Z

Weaknesses