Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-m98a-mcyb-c7fm
Vulnerability ID VCID-m98a-mcyb-c7fm
Aliases CVE-2026-34786
GHSA-q4qf-9j86-f5mh
Summary Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Static#applicable_rules evaluates several header_rules types against the raw URL-encoded PATH_INFO, while the underlying file-serving path is decoded before the file is served. As a result, a request for a URL-encoded variant of a static path can serve the same file without the headers that header_rules were intended to apply. In deployments that rely on Rack::Static to attach security-relevant response headers to static content, this can allow an attacker to bypass those headers by requesting an encoded form of the path. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (2)
CWE-180 Incorrect Behavior Order: Validate Before Canonicalize
CWE-179 Incorrect Behavior Order: Early Validation
System Score Found at
cvssv3 6.5 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34786.json
epss 0.00029 https://api.first.org/data/v1/epss?cve=CVE-2026-34786
epss 0.00029 https://api.first.org/data/v1/epss?cve=CVE-2026-34786
epss 0.00038 https://api.first.org/data/v1/epss?cve=CVE-2026-34786
epss 0.00038 https://api.first.org/data/v1/epss?cve=CVE-2026-34786
epss 0.00038 https://api.first.org/data/v1/epss?cve=CVE-2026-34786
epss 0.00038 https://api.first.org/data/v1/epss?cve=CVE-2026-34786
epss 0.00038 https://api.first.org/data/v1/epss?cve=CVE-2026-34786
cvssv3.1 5.3 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-q4qf-9j86-f5mh
cvssv3.1 5.3 https://github.com/rack/rack
generic_textual MODERATE https://github.com/rack/rack
cvssv3.1 5.3 https://github.com/rack/rack/security/advisories/GHSA-q4qf-9j86-f5mh
cvssv3.1_qr MODERATE https://github.com/rack/rack/security/advisories/GHSA-q4qf-9j86-f5mh
generic_textual MODERATE https://github.com/rack/rack/security/advisories/GHSA-q4qf-9j86-f5mh
ssvc Track https://github.com/rack/rack/security/advisories/GHSA-q4qf-9j86-f5mh
cvssv3.1 5.3 https://nvd.nist.gov/vuln/detail/CVE-2026-34786
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2026-34786
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34786.json
https://api.first.org/data/v1/epss?cve=CVE-2026-34786
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34786
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://github.com/rack/rack
https://github.com/rack/rack/security/advisories/GHSA-q4qf-9j86-f5mh
https://nvd.nist.gov/vuln/detail/CVE-2026-34786
2454507 https://bugzilla.redhat.com/show_bug.cgi?id=2454507
GHSA-q4qf-9j86-f5mh https://github.com/advisories/GHSA-q4qf-9j86-f5mh
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34786.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Found at https://github.com/rack/rack
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Found at https://github.com/rack/rack/security/advisories/GHSA-q4qf-9j86-f5mh
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-03T17:37:20Z/ Found at https://github.com/rack/rack/security/advisories/GHSA-q4qf-9j86-f5mh
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2026-34786
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.08219
EPSS Score 0.00029
Published At April 4, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-03T07:52:21.342041+00:00 Debian Importer Import https://security-tracker.debian.org/tracker/data/json 38.1.0