VDB

CVE-2026-34786

CVE-2026-34786 PUBLISHED CVSS 5.3 MEDIUM

Reported by GitHub_M · Published April 2, 2026

Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Static#applicable_rules evaluates several header_rules types against the raw URL-encoded PATH_INFO, while the underlying file-serving path is decoded before the file is served. As a result, a request for a URL-encoded variant of a static path can serve the same file without the headers that header_rules were intended to apply. In deployments that rely on Rack::Static to attach security-relevant response headers to static content, this can allow an attacker to bypass those headers by requesting an encoded form of the path. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.

EPSS 0.04% · 13.7th percentile

Risk Scores

CVSS v3.1
5.3
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
EPSS Score
0.04%
13.7th percentile

Affected Products

VendorProductVersions
rackrack< 2.2.23, >= 3.0.0.beta1, < 3.1.21, >= 3.2.0, < 3.2.6
rackrack< 2.2.23, >= 3.0.0.beta1, < 3.1.21, >= 3.2.0, < 3.2.6

Timeline

  • Apr 2, 2026 CVE Published
  • Apr 3, 2026 Security Advisory
  • May 13, 2026 CVE Updated
  • May 18, 2026 EPSS Score
  • May 19, 2026 EPSS Score
  • May 20, 2026 EPSS Score
  • May 21, 2026 EPSS Score
  • May 22, 2026 EPSS Score
  • May 23, 2026 EPSS Score
  • May 24, 2026 EPSS Score
  • May 25, 2026 EPSS Score
  • May 26, 2026 EPSS Score

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›