Multipart Header Parsing Issue in Rack Web Server by Rack Foundation
CVE-2026-26962

4.8MEDIUM

Key Information:

Vendor: Rack
Status: Rack
Vendor: CVE Published:; 2 April 2026

What is CVE-2026-26962?

The Rack web server interface, utilized by Ruby applications, is susceptible to a vulnerability within its multipart header parsing functionality. Specifically, versions 3.2.0 through 3.2.5 mismanage obs-fold sequences in multipart headers, inadvertently retaining embedded carriage return and line feed (CRLF) characters. Consequently, applications that utilize these parsed values may unintentionally expose themselves to header injection attacks or response splitting issues when the values are reused in HTTP response headers. This scenario can lead to potential security breaches if exploited. The issue has been addressed in version 3.2.6, which is recommended for all users to upgrade to for enhanced security.

Affected Version(s)

rack >= 3.2.0, < 3.2.6

References

https://github.com/rack/rack/security/advisories/GHSA-rx2...

x_refsource_CONFIRM

CVSS V3.1

Score:

4.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 2, 2026
Vulnerability Reserved
Feb 16, 2026

CVE-2026-26962 Data

JSON