Content-Length Mismatch in Rack Web Server Interface Affecting Multiple Versions
CVE-2026-34831

4.8MEDIUM

Key Information:

Vendor: Rack
Status: Rack
Vendor: CVE Published:; 2 April 2026

What is CVE-2026-34831?

The Rack web server interface, utilized extensively within Ruby applications, has encountered a flaw in its response handling. Prior to the patched versions (2.2.23, 3.1.21, and 3.2.6), the function Rack::Files#fail incorrectly set the Content-Length response header using String#size, leading to a discrepancy when multibyte UTF-8 characters were included in the response body. This flaw permits attackers to exploit 404 responses by leveraging percent-encoded UTF-8 strings, which can cause response desynchronization in environments dependent on the inaccurate Content-Length value. This issue has been resolved in the latest versions.

Affected Version(s)

rack < 2.2.23 < 2.2.23

rack >= 3.0.0.beta1, < 3.1.21 < 3.0.0.beta1, 3.1.21

rack >= 3.2.0, < 3.2.6 < 3.2.0, 3.2.6

References

https://github.com/rack/rack/security/advisories/GHSA-q2w...

x_refsource_CONFIRM

CVSS V3.1

Score:

4.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 2, 2026
Vulnerability Reserved
Mar 30, 2026

CVE-2026-34831 Data

JSON