CVE-2026-34785 — Vulnetix

CVE-2026-34785 PUBLISHED CVSS 7.5 HIGH

Reported by GitHub_M · Published April 2, 2026

Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Static determines whether a request should be served as a static file using a simple string prefix check. When configured with URL prefixes such as "/css", it matches any request path that begins with that string, including unrelated paths such as "/css-config.env" or "/css-backup.sql". As a result, files under the static root whose names merely share the configured prefix may be served unintentionally, leading to information disclosure. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.

Risk Scores

CVSS v3.1

7.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Affected Products

Vendor	Product	Versions
rack	rack	< 2.2.23, >= 3.0.0.beta1, < 3.1.21, >= 3.2.0, < 3.2.6
AWS	backup
rack	rack	< 2.2.23, >= 3.0.0.beta1, < 3.1.21, >= 3.2.0, < 3.2.6
AWS	config

Timeline

Apr 2, 2026 CVE Published
Apr 2, 2026 CVE Updated
Apr 3, 2026 Security Advisory

References

https://github.com/rack/rack/security/advisories/GHSA-h2jq-g4cq-5ppq x_refsource_CONFIRM

Open in Interactive Console →