Platform
ruby
Component
rack
Fixed in
2.2.23
3.0.1
3.2.1
2.2.22
CVE-2026-22860 describes a Directory Traversal vulnerability within the Ruby Rack framework. This flaw allows attackers to potentially access files and directories beyond the intended root, leading to information disclosure. The vulnerability impacts Rack versions 2.2.9 and earlier, and a fix is available in version 2.2.22.
The core of the vulnerability lies in Rack::Directory’s flawed path check, which uses a simple string prefix match. An attacker can craft a malicious request, such as /../rootexample/, that exploits this weakness. If the target path shares a prefix with the configured root directory (e.g., /var/www/root and /var/www/rootbackup), the check will pass, granting the attacker access to the unintended directory. This can lead to the exposure of sensitive configuration files, source code, or other critical data stored outside the intended web root. The potential blast radius depends on the permissions granted to the web server user and the sensitivity of the data accessible within the affected directories.
CVE-2026-22860 was publicly disclosed on 2026-02-17. There is no indication of active exploitation campaigns at this time. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are not widely available, but the vulnerability's nature makes it relatively straightforward to exploit given access to a vulnerable Rack installation.
Exploit Status
EPSS
0.07% (22% percentile)
CISA SSVC
The primary mitigation for CVE-2026-22860 is to upgrade to Rack version 2.2.22 or later, which includes the corrected path boundary check. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests containing suspicious path traversal sequences like ../. Additionally, review and restrict file system permissions for the web server user to minimize the potential impact of a successful attack. Regularly scan your Ruby environment for outdated Rack versions using tools like gem list to proactively identify vulnerable installations.
Update the Rack gem to version 2.2.22 or higher, 3.1.20 or higher, or 3.2.5 or higher. This will fix the directory traversal vulnerability. Run `gem update rack` to update to the latest secure version.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-22860 is a Directory Traversal vulnerability affecting Ruby Rack versions 2.2.9 and earlier. It allows attackers to access files outside the intended web root.
You are affected if you are using Ruby Rack version 2.2.9 or earlier. Check your Rack version using gem list rack.
Upgrade to Ruby Rack version 2.2.22 or later to remediate the vulnerability. Consider WAF rules as a temporary workaround.
There is currently no evidence of active exploitation, but the vulnerability is relatively easy to exploit.
Refer to the Ruby Rack project's official website and security advisories for the latest information: https://rack.rubyforge.org/
CVSS Vector
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your Gemfile.lock file and we'll tell you instantly if you're affected.