Vulnerability in Rack Static Component of Ruby Web Server Interface
CVE-2026-34786

5.3MEDIUM

Key Information:

Vendor: Rack
Status: Rack
Vendor: CVE Published:; 2 April 2026

What is CVE-2026-34786?

The Rack application server interface, used within Ruby, contains a security issue where the Rack::Static component processes header rules against the raw URL-encoded PATH_INFO. However, the actual file-serving path is decoded before serving, creating a scenario where attackers can potentially bypass security headers. This vulnerability allows for the serving of static files without the security measures intended for those files, merely by requesting an encoded URL variant. Implementations that depend on Rack::Static to enforce security-related headers for their static content are particularly at risk. The issue has been resolved in the latest versions.

Affected Version(s)

rack < 2.2.23 < 2.2.23

rack >= 3.0.0.beta1, < 3.1.21 < 3.0.0.beta1, 3.1.21

rack >= 3.2.0, < 3.2.6 < 3.2.0, 3.2.6

References

https://github.com/rack/rack/security/advisories/GHSA-q4q...

x_refsource_CONFIRM

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 2, 2026
Vulnerability Reserved
Mar 30, 2026

CVE-2026-34786 Data

JSON