Directory Listing Vulnerability in Rack Modular Ruby Web Server Interface
CVE-2026-22860

7.5HIGH

Key Information:

Vendor: Rack
Status: Rack
Vendor: CVE Published:; 18 February 2026

What is CVE-2026-22860?

Prior to the updates in versions 2.2.22, 3.1.20, and 3.2.5, Rack's Rack::Directory component had a flaw in its path-checking mechanism, which employed a string prefix matching technique. This could allow an attacker to manipulate requests, triggering a path traversal that enables directory listing beyond the intended directory root via specially crafted requests, such as /../root_example/. Users are advised to upgrade to the fixed versions to mitigate this risk.

Affected Version(s)

rack < 2.2.22 < 2.2.22

rack >= 3.0.0.beta1, < 3.1.20 < 3.0.0.beta1, 3.1.20

rack >= 3.2.0, < 3.2.5 < 3.2.0, 3.2.5

References

https://github.com/rack/rack/security/advisories/GHSA-mxw...

x_refsource_CONFIRM

https://github.com/rack/rack/commit/75c5745c286637a8f049a...

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 18, 2026
Vulnerability Reserved
Jan 12, 2026

CVE-2026-22860 Data

JSON