Platform
ruby
Component
rack
Fixed in
2.2.24
3.0.1
3.2.1
2.2.23
CVE-2026-34786 is a medium-severity vulnerability affecting Rack versions 2.2.9 and earlier. This flaw allows attackers to bypass security headers applied to static content by crafting URL-encoded requests. The vulnerability stems from how Rack::Static#applicable_rules handles URL-encoded paths, potentially serving files without the intended security headers. Upgrade to version 2.2.23 to resolve this issue.
The core of the vulnerability lies in the way Rack::Static processes URLs. It evaluates headerrules against the raw, URL-encoded PATHINFO before serving the file, but the file-serving path is decoded after this evaluation. This creates a discrepancy: an attacker can craft a URL with a URL-encoded path that bypasses the intended header rules. For example, if a header rule is designed to prevent direct access to certain files, encoding the path could circumvent this protection. The impact is that static assets (images, JavaScript, CSS) might be served without critical security headers like Content-Security-Policy or X-Frame-Options, increasing the risk of cross-site scripting (XSS) or clickjacking attacks. The blast radius depends on the sensitivity of the static assets and the effectiveness of other security controls in place.
This vulnerability was publicly disclosed on 2026-04-02. There is currently no indication of active exploitation or a KEV listing. Public proof-of-concept (PoC) code is not widely available, but the vulnerability is conceptually straightforward to exploit. The CVSS score of 5.3 (Medium) reflects the potential impact and relatively low exploitability.
Exploit Status
EPSS
0.04% (11% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade to Rack version 2.2.23 or later, which addresses the vulnerability. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to decode the URL before it reaches Rack::Static. This ensures that header rules are evaluated against the decoded path. Another workaround involves carefully reviewing and tightening the existing header_rules to ensure they are robust against URL encoding. Regularly scan your application for potential vulnerabilities using static analysis tools. After upgrading, confirm the fix by attempting to access static assets with URL-encoded paths and verifying that the expected headers are applied.
Update the Rack gem to version 2.2.23, 3.1.21, or 3.2.6, or higher. This will correct the header_rules bypass vulnerability via URL-encoded paths. Run `gem update rack` to update.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-34786 is a medium-severity vulnerability in Rack versions 2.2.9 and earlier that allows attackers to bypass security headers on static content by using URL-encoded paths.
You are affected if you are using Rack version 2.2.9 or earlier and rely on Rack::Static to apply security headers to static content.
Upgrade to Rack version 2.2.23 or later to resolve the vulnerability. As a temporary workaround, implement a WAF rule to decode URLs before Rack::Static processing.
There is currently no indication of active exploitation, but the vulnerability is conceptually easy to exploit.
Refer to the official Ruby security advisory for details: [https://ruby-sec.io/](https://ruby-sec.io/)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your Gemfile.lock file and we'll tell you instantly if you're affected.