Multipart Content Parsing Issue in Rack by Ruby
CVE-2026-26961

3.7LOW

Key Information:

Vendor: Rack
Status: Rack
Vendor: CVE Published:; 2 April 2026

What is CVE-2026-26961?

The Rack library, utilized in Ruby web applications, contains a vulnerability related to how it handles multipart/form-data. Specifically, the Rack::Multipart::Parser incorrectly extracts the boundary parameter due to the usage of a greedy regular expression. In situations where multiple boundary parameters are present in the Content-Type header, the library selects the last boundary instead of the first. This behavior can be exploited in setups involving an upstream proxy, Web Application Firewall (WAF), or other intermediaries. If these intermediaries interpret the first boundary parameter, an attacker can craft multipart content that bypasses proper validation, allowing for the submission of an altered body structure compared to what was originally verified by the intermediary. The issue has been addressed in designated versions of Rack.

Affected Version(s)

rack < 2.2.23 < 2.2.23

rack >= 3.0.0.beta1, < 3.1.21 < 3.0.0.beta1, 3.1.21

rack >= 3.2.0, < 3.2.6 < 3.2.0, 3.2.6

References

https://github.com/rack/rack/security/advisories/GHSA-vgp...

x_refsource_CONFIRM

CVSS V3.1

Score:

3.7

Severity:

LOW

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 2, 2026
Vulnerability Reserved
Feb 16, 2026

CVE-2026-26961 Data

JSON