CVE-2026-26962 — Vulnetix

CVE-2026-26962 PUBLISHED CVSS 4.800000190734863 MEDIUM

Rack is a modular Ruby web server interface. From version 3.2.0 to before version 3.2.6, Rack::Multipart::Parser unfolds folded multipart part headers incorrectly. When a multipart header contains an obs-fold sequence, Rack preserves the embedded CRLF in parsed parameter values such as filename or name instead of removing the folded line break during unfolding. As a result, applications that later reuse those parsed values in HTTP response headers may be vulnerable to downstream header injection or response splitting. This issue has been patched in version 3.2.6.

Risk Scores

CVSS v3.1

4.800000190734863

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Affected Products

Vendor	Product	Versions
rack	rack	>= 3.2.0, < 3.2.6
RubyGems	rack	3.2.0
Cloudflare	stream

Timeline

Apr 2, 2026 CVE Published
Apr 3, 2026 Security Advisory
Apr 21, 2026 CVE Updated

References

https://github.com/rack/rack/security/advisories/GHSA-rx22-g9mx-qrhv url
https://nvd.nist.gov/vuln/detail/CVE-2026-26962 advisory
https://github.com/rack/rack package

Open in Interactive Console →