Platform
ruby
Component
rack
Fixed in
2.2.24
3.0.1
3.2.1
2.2.23
CVE-2026-34763 affects versions of the Ruby Rack library up to 2.2.9. This vulnerability stems from improper handling of regular expression metacharacters within the root configuration parameter of Rack::Directory. An attacker could leverage this to expose sensitive filesystem paths through directory listings, potentially leading to information disclosure.
The core of the vulnerability lies in how Rack::Directory constructs the displayed directory path. It directly interpolates the root path into a regular expression, and if this root path contains regex metacharacters (like '+', '*', or '.'), the prefix stripping mechanism can fail. This failure can result in the HTML output revealing the full filesystem path instead of the intended subdirectory. An attacker could craft a malicious root path to bypass intended restrictions and access files outside the intended directory. The blast radius depends on the permissions of the web server process running Rack; it could potentially expose the entire filesystem accessible to that user.
This CVE was published on 2026-04-02. There is no indication of active exploitation or KEV listing at the time of writing. Public proof-of-concept code is not currently available, but the vulnerability's nature suggests it could be relatively easy to exploit once a PoC is developed. The potential for information disclosure makes this a concerning vulnerability, especially in environments where sensitive data is stored.
Exploit Status
EPSS
0.04% (11% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade to Rack version 2.2.23 or later, which includes the necessary fix for proper path sanitization. If an immediate upgrade is not feasible, consider implementing a Web Application Firewall (WAF) rule to filter requests containing suspicious characters in the directory path. Additionally, carefully review and sanitize any user-supplied input that influences the root configuration parameter. After upgrading, verify the fix by attempting to access a directory with a specially crafted root path containing regex metacharacters; the path should be properly sanitized and not reveal the full filesystem.
Update the Rack gem to version 2.2.23, 3.1.21, or 3.2.6, or higher, as appropriate for your version branch. This will fix the vulnerability of unescaped regex interpolation in Rack::Directory.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-34763 is a medium-severity vulnerability in Ruby Rack versions up to 2.2.9. It allows attackers to potentially expose filesystem paths through directory listings due to improper sanitization of the 'root' configuration parameter.
You are affected if you are using Ruby Rack version 2.2.9 or earlier. Check your Rack version and upgrade if necessary.
Upgrade to Ruby Rack version 2.2.23 or later to mitigate the vulnerability. Consider WAF rules as a temporary workaround if an upgrade is not immediately possible.
There is currently no evidence of active exploitation, but the vulnerability's nature suggests it could be exploited once a proof-of-concept is developed.
Refer to the Ruby Rack project's official website and security advisories for the latest information and updates regarding CVE-2026-34763.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your Gemfile.lock file and we'll tell you instantly if you're affected.