Platform
ruby
Component
rack
Fixed in
2.2.24
3.0.1
3.2.1
2.2.23
CVE-2026-34830 describes a regex injection vulnerability within the Rack framework, specifically in the Rack::Sendfile#mapaccelpath method. This flaw allows attackers to manipulate the X-Accel-Redirect response header, potentially leading to unauthorized file access. The vulnerability impacts Rack versions 2.2.9 and earlier, and a patch is available in version 2.2.23.
The core of the vulnerability lies in the unescaped interpolation of the X-Accel-Mapping request header within a regular expression. Attackers can leverage this by crafting malicious values for the X-Accel-Mapping header, injecting regex metacharacters. This manipulation allows them to control the generated X-Accel-Redirect response, effectively directing nginx to serve files from internal locations that the attacker should not have access to. The blast radius extends to any deployment utilizing Rack::Sendfile with x-accel-redirect, potentially exposing sensitive data or enabling further compromise of the backend infrastructure. This vulnerability shares similarities with other header injection flaws where improper sanitization leads to unintended control over response headers.
This vulnerability was publicly disclosed on 2026-04-02. Currently, there is no indication of active exploitation campaigns. No proof-of-concept code has been publicly released. The vulnerability is not listed on the CISA KEV catalog at the time of this writing. The CVSS score is 5.9 (MEDIUM), indicating a moderate risk.
Exploit Status
EPSS
0.04% (12% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade to Rack version 2.2.23 or later, which includes the necessary fix to properly escape the X-Accel-Mapping header. If immediate upgrading is not feasible, consider implementing a Web Application Firewall (WAF) rule to filter or sanitize the X-Accel-Mapping header, preventing the injection of regex metacharacters. Alternatively, carefully review and restrict access to the internal file locations served by x-accel-redirect. After upgrading, confirm the fix by attempting to send a crafted X-Accel-Mapping header containing regex metacharacters and verifying that the X-Accel-Redirect response remains unchanged and does not serve unintended files.
Update the Rack gem to version 2.2.23, 3.1.21, or 3.2.6, or higher, as appropriate for your current version. This corrects the regex injection vulnerability in the HTTP_X_ACCEL_MAPPING header. Ensure you test the update in a staging environment before deploying to production.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-34830 is a medium-severity vulnerability in Rack versions 2.2.9 and earlier. It allows attackers to inject regex metacharacters via the X-Accel-Mapping header, potentially leading to unauthorized file access.
You are affected if you are using Rack version 2.2.9 or earlier and your application utilizes Rack::Sendfile with x-accel-redirect.
Upgrade to Rack version 2.2.23 or later to resolve the vulnerability. As a temporary workaround, implement a WAF rule to sanitize the X-Accel-Mapping header.
There is currently no evidence of active exploitation of CVE-2026-34830.
Refer to the Rack project's official security advisories and release notes for details on CVE-2026-34830.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your Gemfile.lock file and we'll tell you instantly if you're affected.