Platform
ruby
Component
rack
Fixed in
2.2.24
3.0.1
3.2.1
2.2.23
CVE-2026-26961 affects versions of Ruby's Rack library up to 2.2.9. This vulnerability involves a boundary selection flaw within the Rack::Multipart::Parser, potentially allowing attackers to bypass upstream content validation. The issue arises from a greedy regular expression that incorrectly selects the last boundary parameter when multiple boundaries are present in a multipart/form-data request. A fix is available in version 2.2.23.
This vulnerability allows attackers to potentially bypass security controls implemented by upstream proxies, Web Application Firewalls (WAFs), or other intermediaries. By crafting a multipart/form-data request with multiple boundary parameters, an attacker can manipulate Rack to parse a different body structure than what the upstream system validated. This could lead to the injection of malicious content, bypassing security checks and potentially compromising the application. The impact is particularly significant in environments where Rack is used as a core component of a web application and relies on upstream security measures for protection.
CVE-2026-26961 was publicly disclosed on 2026-04-02. The CVSS score is LOW (3.7). Currently, there are no publicly known proof-of-concept exploits. While not actively exploited, the potential for bypassing upstream security controls warrants attention, especially in complex deployments.
Exploit Status
EPSS
0.04% (11% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-26961 is to upgrade to Rack version 2.2.23 or later. If upgrading is not immediately feasible, consider implementing stricter input validation on the upstream proxy or WAF to ensure only the intended boundary is used. Additionally, review and update any custom Rack middleware to ensure it handles multiple boundary parameters correctly. After upgrading, confirm the fix by sending a multipart request with multiple boundaries and verifying that Rack parses the expected boundary.
Update the Rack gem to version 2.2.23, 3.1.21, or 3.2.6, or higher, depending on the version branch you are using. This will resolve the ambiguity in multipart boundary parsing and prevent the possibility of WAF bypass.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-26961 is a LOW severity vulnerability in Ruby Rack versions up to 2.2.9 where the parser incorrectly selects the last boundary from multiple Content-Type boundaries, potentially bypassing upstream validation.
If you are using Ruby Rack version 2.2.9 or earlier, you are potentially affected. Check your Rack version and upgrade accordingly.
Upgrade to Rack version 2.2.23 or later to resolve the vulnerability. If immediate upgrade is not possible, implement stricter upstream validation.
As of now, there are no publicly known active exploits for CVE-2026-26961, but the potential for bypass warrants attention.
Refer to the Ruby Rack project's official website and security advisories for the latest information and updates regarding CVE-2026-26961.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your Gemfile.lock file and we'll tell you instantly if you're affected.