CVE-2026-34763 — Vulnetix

CVE-2026-34763 PUBLISHED CVSS 5.3 MEDIUM

Reported by GitHub_M · Published April 2, 2026

Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Directory interpolates the configured root path directly into a regular expression when deriving the displayed directory path. If root contains regex metacharacters such as +, *, or ., the prefix stripping can fail and the generated directory listing may expose the full filesystem path in the HTML output. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.

Risk Scores

CVSS v3.1

5.3

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Affected Products

Vendor	Product	Versions
rack	rack	< 2.2.23, >= 3.0.0.beta1, < 3.1.21, >= 3.2.0, < 3.2.6
rack	rack	< 2.2.23, >= 3.0.0.beta1, < 3.1.21, >= 3.2.0, < 3.2.6
AWS	config

Timeline

Apr 2, 2026 CVE Published
Apr 2, 2026 CVE Updated
Apr 3, 2026 Security Advisory

References

https://github.com/rack/rack/security/advisories/GHSA-7mqq-6cf9-v2qp x_refsource_CONFIRM

Open in Interactive Console →