Platform
ruby
Component
rack
Fixed in
2.2.24
3.0.1
3.2.1
2.2.23
CVE-2026-34785 describes an information disclosure vulnerability within the Ruby rack library's Rack::Static component. This flaw stems from an insufficient check when determining whether a request should be served as a static file, potentially exposing sensitive files under the static root. Versions of rack prior to 2.2.23 are affected, and a fix has been released. This vulnerability allows attackers to potentially access files they shouldn't.
The vulnerability lies in how Rack::Static matches request paths against configured URL prefixes. If a file's name shares a prefix with a configured URL (e.g., /css and a file named /css-config.env), it may be unintentionally served. This can lead to the exposure of sensitive configuration files, database backups, or other confidential data. The potential impact is significant, as an attacker could gain access to critical application data without authentication. The blast radius extends to any application utilizing Rack::Static for serving static assets, particularly those with poorly configured static root directories or sensitive files named with common prefixes.
CVE-2026-34785 was publicly disclosed on April 2, 2026. There is currently no indication of active exploitation or a KEV listing. Public proof-of-concept code is not yet available, but the vulnerability's simplicity suggests it could be easily exploited. The CVSS score of 7.5 (HIGH) reflects the potential for significant data exposure.
Exploit Status
EPSS
0.04% (12% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade to version 2.2.23 or later of the rack library. This version includes a fix that addresses the flawed prefix check. If upgrading is not immediately feasible, consider implementing a WAF rule to block requests for files with suspicious names or extensions within the static root directory. Additionally, review your application's static root directory and rename any sensitive files to avoid sharing prefixes with configured URL routes. After upgrading, confirm the fix by attempting to access a file that previously triggered the vulnerability using a crafted URL.
Update the Rack gem to version 2.2.23, 3.1.21, or 3.2.6, or a later version. This corrects the local file inclusion vulnerability in `Rack::Static` due to URL prefix matching. Run `bundle update rack` to update the gem in your project.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-34785 is a HIGH severity vulnerability in Ruby Rack versions ≤2.2.9 where a flawed prefix check can lead to unintended file exposure.
If you are using Ruby Rack versions 2.2.9 or earlier, you are potentially affected. Check your application's dependencies to confirm.
Upgrade to version 2.2.23 or later of the rack library. This resolves the flawed prefix check.
There is currently no evidence of active exploitation, but the vulnerability's simplicity suggests it could be easily exploited.
Refer to the Ruby Rack project's official website and security advisories for the latest information: https://rack.rubyforge.org/
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your Gemfile.lock file and we'll tell you instantly if you're affected.