Modular Ruby Web Server Interface Vulnerability in Rack by Rack
CVE-2026-32762

4.8MEDIUM

Key Information:

Vendor: Rack
Status: Rack
Vendor: CVE Published:; 2 April 2026

What is CVE-2026-32762?

The Rack framework for Ruby, particularly versions prior to 3.1.21 and 3.2.6, has been discovered to improperly handle the RFC 7239 Forwarded header. This improper parsing can lead to a scenario where attackers exploit mismanaged quoted-string values. In environments where an upstream proxy or WAF handles these headers differently, it becomes possible to smuggle malicious parameters, leading to possible security breaches.

Affected Version(s)

rack >= 3.0.0.beta1, < 3.1.21 < 3.0.0.beta1, 3.1.21

rack >= 3.2.0, < 3.2.6 < 3.2.0, 3.2.6

References

https://github.com/rack/rack/security/advisories/GHSA-qfg...

x_refsource_CONFIRM

CVSS V3.1

Score:

4.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 2, 2026
Vulnerability Reserved
Mar 13, 2026

CVE-2026-32762 Data

JSON