平台
ruby
组件
rack
修复版本
2.2.24
3.0.1
3.2.1
2.2.23
CVE-2026-26961 affects versions of Ruby's Rack library up to 2.2.9. This vulnerability involves a boundary selection flaw within the Rack::Multipart::Parser, potentially allowing attackers to bypass upstream content validation. The issue arises from a greedy regular expression that incorrectly selects the last boundary parameter when multiple boundaries are present in a multipart/form-data request. A fix is available in version 2.2.23.
This vulnerability allows attackers to potentially bypass security controls implemented by upstream proxies, Web Application Firewalls (WAFs), or other intermediaries. By crafting a multipart/form-data request with multiple boundary parameters, an attacker can manipulate Rack to parse a different body structure than what the upstream system validated. This could lead to the injection of malicious content, bypassing security checks and potentially compromising the application. The impact is particularly significant in environments where Rack is used as a core component of a web application and relies on upstream security measures for protection.
CVE-2026-26961 was publicly disclosed on 2026-04-02. The CVSS score is LOW (3.7). Currently, there are no publicly known proof-of-concept exploits. While not actively exploited, the potential for bypassing upstream security controls warrants attention, especially in complex deployments.
Applications built on Ruby that utilize the Rack middleware, particularly those relying on upstream proxies or WAFs for security validation, are at risk. Shared hosting environments where Rack is a system-level dependency are also vulnerable.
• ruby / server:
find / -name 'rack-2.2.9*' -type d• ruby / server:
ruby -v• generic web: Check HTTP headers for Content-Type with multiple boundary parameters. Examine application logs for unusual multipart requests.
disclosure
漏洞利用状态
EPSS
0.04% (11% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2026-26961 is to upgrade to Rack version 2.2.23 or later. If upgrading is not immediately feasible, consider implementing stricter input validation on the upstream proxy or WAF to ensure only the intended boundary is used. Additionally, review and update any custom Rack middleware to ensure it handles multiple boundary parameters correctly. After upgrading, confirm the fix by sending a multipart request with multiple boundaries and verifying that Rack parses the expected boundary.
Actualice la gema Rack a la versión 2.2.23, 3.1.21 o 3.2.6, o superior, según la rama de versión que esté utilizando. Esto solucionará la ambigüedad en el análisis de límites multipart y evitará la posibilidad de eludir el WAF.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-26961 is a LOW severity vulnerability in Ruby Rack versions up to 2.2.9 where the parser incorrectly selects the last boundary from multiple Content-Type boundaries, potentially bypassing upstream validation.
If you are using Ruby Rack version 2.2.9 or earlier, you are potentially affected. Check your Rack version and upgrade accordingly.
Upgrade to Rack version 2.2.23 or later to resolve the vulnerability. If immediate upgrade is not possible, implement stricter upstream validation.
As of now, there are no publicly known active exploits for CVE-2026-26961, but the potential for bypass warrants attention.
Refer to the Ruby Rack project's official website and security advisories for the latest information and updates regarding CVE-2026-26961.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。
上传你的 Gemfile.lock 文件,立即知道是否受影响。