Home

Description

Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Static determines whether a request should be served as a static file using a simple string prefix check. When configured with URL prefixes such as "/css", it matches any request path that begins with that string, including unrelated paths such as "/css-config.env" or "/css-backup.sql". As a result, files under the static root whose names merely share the configured prefix may be served unintentionally, leading to information disclosure. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.

PUBLISHED Reserved 2026-03-30 | Published 2026-04-02 | Updated 2026-04-02 | Assigner GitHub_M




HIGH: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Problem types

CWE-187: Partial String Comparison

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

Product status

< 2.2.23
affected

>= 3.0.0.beta1, < 3.1.21
affected

>= 3.2.0, < 3.2.6
affected

References

github.com/rack/rack/security/advisories/GHSA-h2jq-g4cq-5ppq

cve.org (CVE-2026-34785)

nvd.nist.gov (CVE-2026-34785)

Download JSON