Plattform
ruby
Komponente
rack
Behoben in
2.2.24
3.0.1
3.2.1
2.2.23
CVE-2026-34786 is a medium-severity vulnerability affecting Rack versions 2.2.9 and earlier. This flaw allows attackers to bypass security headers applied to static content by crafting URL-encoded requests. The vulnerability stems from how Rack::Static#applicable_rules handles URL-encoded paths, potentially serving files without the intended security headers. Upgrade to version 2.2.23 to resolve this issue.
The primary impact of CVE-2026-34786 is the potential for header bypass. If your application uses Rack::Static to apply security headers (e.g., Content-Security-Policy, X-Frame-Options, Strict-Transport-Security) to static assets, an attacker can circumvent these protections by encoding parts of the URL path. For example, if a header is intended to prevent cross-site scripting (XSS) by restricting script sources, an attacker could bypass this by encoding the path to a JavaScript file. This could lead to the exposure of sensitive data or enable other attacks. The blast radius is limited to the static content served through Rack::Static and the effectiveness of the bypassed headers.
CVE-2026-34786 was published on April 2, 2026. Its CVSS score is 5.3 (MEDIUM). There is no indication of this vulnerability being actively exploited in the wild at this time. No public Proof-of-Concept (POC) exploits have been published. The vulnerability is not currently listed on CISA’s Known Exploited Vulnerabilities (KEV) catalog or has an EPSS score.
Applications using Rack for serving static content, particularly those relying on Rack::Static to enforce security headers, are at risk. This includes web applications deployed on Ruby on Rails and other Ruby frameworks that leverage Rack. Shared hosting environments where Rack is used to serve static assets are also particularly vulnerable.
• ruby / server:
ps aux | grep rack• generic web:
curl -I 'https://example.com/%2e%2e%2f' # Check for unexpected headers• generic web:
curl -I 'https://example.com/%2e%2e%2f%2e%2e%2f' # Check for unexpected headersdisclosure
Exploit-Status
EPSS
0.04% (11% Perzentil)
CISA SSVC
CVSS-Vektor
The recommended mitigation for CVE-2026-34786 is to upgrade to Rack version 2.2.23 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests with excessively URL-encoded paths. Specifically, look for patterns where the PATHINFO contains a high density of URL-encoded characters. As a temporary workaround, you could also review your headerrules configuration to ensure they are as robust as possible, although this does not fully address the underlying issue. After upgrading, confirm the fix by attempting to access static assets with URL-encoded paths and verifying that the expected headers are still applied.
Actualice la gema Rack a la versión 2.2.23, 3.1.21 o 3.2.6, o superior. Esto corregirá la vulnerabilidad de omisión de header_rules mediante rutas codificadas en URL. Ejecute `gem update rack` para actualizar.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-34786 is a medium-severity vulnerability in Rack versions 2.2.9 and earlier that allows attackers to bypass security headers on static content by using URL-encoded paths.
You are affected if you are using Rack version 2.2.9 or earlier and rely on Rack::Static to apply security headers to static content.
Upgrade to Rack version 2.2.23 or later to resolve the vulnerability. As a temporary workaround, implement a WAF rule to decode URLs before Rack::Static processing.
There is currently no indication of active exploitation, but the vulnerability is conceptually easy to exploit.
Refer to the official Ruby security advisory for details: [https://ruby-sec.io/](https://ruby-sec.io/)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Gemfile.lock-Datei hoch und wir sagen dir sofort, ob du betroffen bist.