Description
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Sendfile#map_accel_path interpolates the value of the X-Accel-Mapping request header directly into a regular expression when rewriting file paths for X-Accel-Redirect. Because the header value is not escaped, an attacker who can supply X-Accel-Mapping to the backend can inject regex metacharacters and control the generated X-Accel-Redirect response header. In deployments using Rack::Sendfile with x-accel-redirect, this can allow an attacker to cause nginx to serve unintended files from configured internal locations. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.
Published: 2026-04-02
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary File Read
Action: Immediate Patch
AI Analysis

Impact

Rack is a modular Ruby web server interface. In versions prior to 2.2.23, 3.1.21, and 3.2.6, the Rack::Sendfile#map_accel_path method interpolates the value of the X-Accel-Mapping request header directly into a regular expression used for rewriting file paths for X-Accel-Redirect. Because this header value is not escaped, an attacker who can supply X-Accel-Mapping to the backend can inject regex metacharacters and control the generated X-Accel-Redirect response header, leading to arbitrary file reads from internal locations, a pattern consistent with CWE-625.

Affected Systems

The affected component is Rack, the Ruby web server interface library. The vulnerability affects all releases of Rack older than 2.2.23, 3.1.21, and 3.2.6. These versions are widely used in Ruby applications that rely on Rack::Sendfile with nginx's X-Accel-Redirect feature.

Risk and Exploitability

The CVSS score for this issue is 5.9, indicating moderate severity. EPSS data is not provided, and the vulnerability is not listed in CISA’s KEV catalog. The most likely attack vector is a crafted HTTP request containing a malicious X-Accel-Mapping header sent to a Rack application sitting behind nginx configured for X-Accel-Redirect. If exploited, the attacker could cause nginx to serve unintended files from configured internal locations, potentially exposing sensitive data. Because the attack requires only the ability to supply request headers, it can be performed over the public network, but it is mitigated by the patch.

Generated by OpenCVE AI on April 2, 2026 at 22:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Rack to version 2.2.23 or later, 3.1.21 or later, or 3.2.6 or later to remove the vulnerability.

Generated by OpenCVE AI on April 2, 2026 at 22:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-qv7j-4883-hwh7 Rack::Sendfile header-based X-Accel-Mapping regex injection enables unauthorized X-Accel-Redirect
Ubuntu USN Ubuntu USN USN-8182-1 Rack vulnerabilities
History

Thu, 16 Apr 2026 17:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:rack:rack:*:*:*:*:*:ruby:*:*

Sat, 04 Apr 2026 01:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Rack
Rack rack
Vendors & Products Rack
Rack rack

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Sendfile#map_accel_path interpolates the value of the X-Accel-Mapping request header directly into a regular expression when rewriting file paths for X-Accel-Redirect. Because the header value is not escaped, an attacker who can supply X-Accel-Mapping to the backend can inject regex metacharacters and control the generated X-Accel-Redirect response header. In deployments using Rack::Sendfile with x-accel-redirect, this can allow an attacker to cause nginx to serve unintended files from configured internal locations. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.
Title Rack: Rack::Sendfile regex injection via HTTP_X_ACCEL_MAPPING header allows arbitrary file reads through nginx
Weaknesses CWE-625
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Subscriptions

Rack Rack
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-02T18:59:46.589Z

Reserved: 2026-03-30T20:52:53.284Z

Link: CVE-2026-34830

cve-icon Vulnrichment

Updated: 2026-04-02T18:59:41.978Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-02T17:16:26.267

Modified: 2026-04-16T16:50:50.290

Link: CVE-2026-34830

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-02T16:47:40Z

Links: CVE-2026-34830 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:18:22Z

Weaknesses