Platform
ruby
Component
rack
Fixed in
2.2.24
3.0.1
3.2.1
2.2.23
CVE-2026-34829 describes an Unrestricted File Upload vulnerability within the Ruby Rack framework, specifically affecting versions up to 2.2.9. This flaw allows unauthenticated attackers to bypass file size limitations and upload arbitrarily large files, potentially leading to denial-of-service through disk exhaustion. The vulnerability was published on April 2, 2026, and a fix is available in version 2.2.23.
The core of the vulnerability lies in how Rack::Multipart::Parser handles requests without a Content-Length header, particularly when using HTTP chunked transfer encoding. Normally, the parser would limit the size of uploaded files. However, due to a flaw in the logic, the parser doesn't enforce this limit when the Content-Length header is missing. This allows an attacker to stream an arbitrarily large multipart file directly to disk, bypassing the intended size restrictions. The primary impact is denial of service (DoS) through disk exhaustion, as the attacker can fill up the server's storage space. While direct code execution isn't immediately possible, a sufficiently large uploaded file could potentially trigger other vulnerabilities or instability within the application or server.
As of the publication date, there is no public proof-of-concept (POC) code available for CVE-2026-34829. The vulnerability's severity is rated HIGH (CVSS 7.5), indicating a significant risk. It is not currently listed on KEV or EPSS, suggesting a low to medium probability of exploitation in the near term. However, the ease of exploitation (requiring only a crafted multipart request) means it could become a target for opportunistic attackers.
Exploit Status
EPSS
0.05% (17% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-34829 is to upgrade to Rack version 2.2.23 or later, which includes the fix for this vulnerability. If upgrading is not immediately feasible, consider implementing temporary workarounds. One approach is to configure a web application firewall (WAF) or reverse proxy to enforce strict file size limits on multipart uploads, regardless of the Content-Length header. Another workaround involves modifying the Rack application to explicitly check and reject uploads exceeding a reasonable size threshold. Monitor disk space usage closely to detect potential exploitation attempts. After upgrading, confirm the fix by attempting a large multipart upload and verifying that the upload is rejected with an appropriate error message.
Update the Rack gem to version 2.2.23, 3.1.21, or 3.2.6, or higher, as appropriate for your current version. This will fix the denial of service vulnerability caused by unlimited size multipart file uploads.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-34829 is a HIGH severity vulnerability in Ruby Rack versions up to 2.2.9. It allows attackers to bypass file size limits and upload arbitrarily large files, potentially leading to disk exhaustion and denial of service.
You are affected if you are using Ruby Rack version 2.2.9 or earlier. Check your Rack version using ruby -v and require 'rack'; puts Rack.version to determine if you need to upgrade.
Upgrade to Ruby Rack version 2.2.23 or later to remediate the vulnerability. As a temporary workaround, implement WAF rules or application-level checks to limit file upload sizes.
As of the publication date, there are no reports of active exploitation. However, the ease of exploitation means it could become a target.
Refer to the Ruby Rack project's official website and security advisories for the latest information and updates regarding CVE-2026-34829.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your Gemfile.lock file and we'll tell you instantly if you're affected.