Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-2p73-rc9t-rudb
Vulnerability ID VCID-2p73-rc9t-rudb
Aliases CVE-2026-34831
GHSA-q2ww-5357-x388
Summary Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Files#fail sets the Content-Length response header using String#size instead of String#bytesize. When the response body contains multibyte UTF-8 characters, the declared Content-Length is smaller than the number of bytes actually sent on the wire. Because Rack::Files reflects the requested path in 404 responses, an attacker can trigger this mismatch by requesting a non-existent path containing percent-encoded UTF-8 characters. This results in incorrect HTTP response framing and may cause response desynchronization in deployments that rely on the incorrect Content-Length value. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (2)
CWE-130 Improper Handling of Length Parameter Inconsistency
CWE-135 Incorrect Calculation of Multi-Byte String Length
System Score Found at
cvssv3 4.8 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34831.json
epss 0.00028 https://api.first.org/data/v1/epss?cve=CVE-2026-34831
epss 0.00028 https://api.first.org/data/v1/epss?cve=CVE-2026-34831
epss 0.00036 https://api.first.org/data/v1/epss?cve=CVE-2026-34831
epss 0.00036 https://api.first.org/data/v1/epss?cve=CVE-2026-34831
epss 0.00036 https://api.first.org/data/v1/epss?cve=CVE-2026-34831
epss 0.00036 https://api.first.org/data/v1/epss?cve=CVE-2026-34831
epss 0.00036 https://api.first.org/data/v1/epss?cve=CVE-2026-34831
cvssv3.1 4.8 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-q2ww-5357-x388
cvssv3.1 4.8 https://github.com/rack/rack
generic_textual MODERATE https://github.com/rack/rack
cvssv3.1 4.8 https://github.com/rack/rack/security/advisories/GHSA-q2ww-5357-x388
cvssv3.1_qr MODERATE https://github.com/rack/rack/security/advisories/GHSA-q2ww-5357-x388
generic_textual MODERATE https://github.com/rack/rack/security/advisories/GHSA-q2ww-5357-x388
ssvc Track https://github.com/rack/rack/security/advisories/GHSA-q2ww-5357-x388
cvssv3.1 4.8 https://nvd.nist.gov/vuln/detail/CVE-2026-34831
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2026-34831
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34831.json
https://api.first.org/data/v1/epss?cve=CVE-2026-34831
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34831
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://github.com/rack/rack
https://github.com/rack/rack/security/advisories/GHSA-q2ww-5357-x388
https://nvd.nist.gov/vuln/detail/CVE-2026-34831
2454504 https://bugzilla.redhat.com/show_bug.cgi?id=2454504
GHSA-q2ww-5357-x388 https://github.com/advisories/GHSA-q2ww-5357-x388
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34831.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N Found at https://github.com/rack/rack
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N Found at https://github.com/rack/rack/security/advisories/GHSA-q2ww-5357-x388
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-03T17:43:52Z/ Found at https://github.com/rack/rack/security/advisories/GHSA-q2ww-5357-x388
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2026-34831
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.07801
EPSS Score 0.00028
Published At April 4, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-03T07:52:21.395394+00:00 Debian Importer Import https://security-tracker.debian.org/tracker/data/json 38.1.0