Description
Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 to before 3.1.21, and 3.2.0 to before 3.2.6, Rack::Request parses the Host header using an AUTHORITY regular expression that accepts characters not permitted in RFC-compliant hostnames, including /, ?, #, and @. Because req.host returns the full parsed value, applications that validate hosts using naive prefix or suffix checks can be bypassed. This can lead to host header poisoning in applications that use req.host, req.url, or req.base_url for link generation, redirects, or origin validation. This issue has been patched in versions 3.1.21 and 3.2.6.
Published: 2026-04-02
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Host header poisoning and allowlist bypass via invalid characters
Action: Immediate Patch
AI Analysis

Impact

Rack is a modular Ruby web server interface. The vulnerability allows Rack::Request to parse the Host header with a pattern that accepts characters not permitted in RFC-compliant hostnames, such as /, ?, #, and @. Applications that use simple prefix or suffix checks on the Host header can therefore be tricked into accepting forged host values, leading to host header poisoning that may affect link generation, redirects, or origin validation. The weakness is an example of host header injection (CWE-1286).

Affected Systems

The affected product is rack:rack. Versions from 3.0.0.beta1 up to, but not including, 3.1.21 and 3.2.0 up to, but not including, 3.2.6 are vulnerable. These patches are included in 3.1.21 and 3.2.6.

Risk and Exploitability

The CVSS score of 4.8 indicates a moderate severity, with an EPSS score below 1 % showing low probability of exploitation. The vulnerability is not listed in CISA’s KEV catalog, so no large‑scale exploit data is available. Attackers would need to send a crafted HTTP request with a Host header containing invalid characters; the impact would be confined to the affected application’s request handling and any downstream redirects or URL generation.

Generated by OpenCVE AI on April 3, 2026 at 22:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Rack to version 3.1.21 or later, or 3.2.6 or later, to apply the fix.
  • Verify that your application performs proper host validation and does not rely solely on naive prefix/suffix checks.
  • Implement additional safeguards by sanitizing the Host header to remove characters such as /, ?, #, and @ before using it for redirects or link generation.

Generated by OpenCVE AI on April 3, 2026 at 22:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-g2pf-xv49-m2h5 Rack::Request accepts invalid Host characters, enabling host allowlist bypass
Ubuntu USN Ubuntu USN USN-8182-1 Rack vulnerabilities
History

Sat, 04 Apr 2026 01:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Fri, 03 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:rack:rack:*:*:*:*:*:ruby:*:*

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Rack
Rack rack
Vendors & Products Rack
Rack rack

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 to before 3.1.21, and 3.2.0 to before 3.2.6, Rack::Request parses the Host header using an AUTHORITY regular expression that accepts characters not permitted in RFC-compliant hostnames, including /, ?, #, and @. Because req.host returns the full parsed value, applications that validate hosts using naive prefix or suffix checks can be bypassed. This can lead to host header poisoning in applications that use req.host, req.url, or req.base_url for link generation, redirects, or origin validation. This issue has been patched in versions 3.1.21 and 3.2.6.
Title Rack: `Rack::Request` accepts invalid Host characters, enabling host allowlist bypass.
Weaknesses CWE-1286
References
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Subscriptions

Rack Rack
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-02T17:44:03.453Z

Reserved: 2026-03-30T20:52:53.284Z

Link: CVE-2026-34835

cve-icon Vulnrichment

Updated: 2026-04-02T17:43:58.046Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-02T18:16:33.967

Modified: 2026-04-03T19:32:26.663

Link: CVE-2026-34835

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-02T17:09:07Z

Links: CVE-2026-34835 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T07:55:52Z

Weaknesses