Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-p3dk-p1gb-kkem
Vulnerability ID VCID-p3dk-p1gb-kkem
Aliases CVE-2026-34230
GHSA-v569-hp3g-36wr
Summary Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Utils.select_best_encoding processes Accept-Encoding values with quadratic time complexity when the header contains many wildcard (*) entries. Because this method is used by Rack::Deflater to choose a response encoding, an unauthenticated attacker can send a single request with a crafted Accept-Encoding header and cause disproportionate CPU consumption on the compression middleware path. This results in a denial of service condition for applications using Rack::Deflater. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-400 Uncontrolled Resource Consumption
CWE-407 Inefficient Algorithmic Complexity
CWE-1050 Excessive Platform Resource Consumption within a Loop
System Score Found at
cvssv3 5.3 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34230.json
epss 0.00039 https://api.first.org/data/v1/epss?cve=CVE-2026-34230
epss 0.00039 https://api.first.org/data/v1/epss?cve=CVE-2026-34230
epss 0.00051 https://api.first.org/data/v1/epss?cve=CVE-2026-34230
epss 0.00051 https://api.first.org/data/v1/epss?cve=CVE-2026-34230
epss 0.00051 https://api.first.org/data/v1/epss?cve=CVE-2026-34230
epss 0.00051 https://api.first.org/data/v1/epss?cve=CVE-2026-34230
epss 0.00051 https://api.first.org/data/v1/epss?cve=CVE-2026-34230
cvssv3.1 5.3 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-v569-hp3g-36wr
cvssv3.1 5.3 https://github.com/rack/rack
generic_textual MODERATE https://github.com/rack/rack
cvssv3.1 5.3 https://github.com/rack/rack/security/advisories/GHSA-v569-hp3g-36wr
cvssv3.1_qr MODERATE https://github.com/rack/rack/security/advisories/GHSA-v569-hp3g-36wr
generic_textual MODERATE https://github.com/rack/rack/security/advisories/GHSA-v569-hp3g-36wr
ssvc Track https://github.com/rack/rack/security/advisories/GHSA-v569-hp3g-36wr
cvssv3.1 5.3 https://nvd.nist.gov/vuln/detail/CVE-2026-34230
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2026-34230
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34230.json
https://api.first.org/data/v1/epss?cve=CVE-2026-34230
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34230
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://github.com/rack/rack
https://github.com/rack/rack/security/advisories/GHSA-v569-hp3g-36wr
https://nvd.nist.gov/vuln/detail/CVE-2026-34230
2454493 https://bugzilla.redhat.com/show_bug.cgi?id=2454493
GHSA-v569-hp3g-36wr https://github.com/advisories/GHSA-v569-hp3g-36wr
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34230.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://github.com/rack/rack
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://github.com/rack/rack/security/advisories/GHSA-v569-hp3g-36wr
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-02T18:56:03Z/ Found at https://github.com/rack/rack/security/advisories/GHSA-v569-hp3g-36wr
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://nvd.nist.gov/vuln/detail/CVE-2026-34230
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.1188
EPSS Score 0.00039
Published At April 4, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-03T07:52:21.311905+00:00 Debian Importer Import https://security-tracker.debian.org/tracker/data/json 38.1.0