{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-26961", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-16T22:20:28.611Z", "datePublished": "2026-04-02T16:42:16.766Z", "dateUpdated": "2026-04-03T17:58:12.149Z"}, "containers": {"cna": {"title": "Rack: Multipart Boundary Parsing Ambiguity allowing WAF Bypass", "problemTypes": [{"descriptions": [{"cweId": "CWE-436", "lang": "en", "description": "CWE-436: Interpretation Conflict", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/rack/rack/security/advisories/GHSA-vgpv-f759-9wx3", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/rack/rack/security/advisories/GHSA-vgpv-f759-9wx3"}], "affected": [{"vendor": "rack", "product": "rack", "versions": [{"version": "< 2.2.23", "status": "affected"}, {"version": ">= 3.0.0.beta1, < 3.1.21", "status": "affected"}, {"version": ">= 3.2.0, < 3.2.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-02T16:42:16.766Z"}, "descriptions": [{"lang": "en", "value": "Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Multipart::Parser extracts the boundary parameter from multipart/form-data using a greedy regular expression. When a Content-Type header contains multiple boundary parameters, Rack selects the last one rather than the first. In deployments where an upstream proxy, WAF, or intermediary interprets the first boundary parameter, this mismatch can allow an attacker to smuggle multipart content past upstream inspection and have Rack parse a different body structure than the intermediary validated. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6."}], "source": {"advisory": "GHSA-vgpv-f759-9wx3", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-03T17:57:50.290547Z", "id": "CVE-2026-26961", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T17:58:12.149Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-26961", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-16T22:20:28.611Z", "datePublished": "2026-04-02T16:42:16.766Z", "dateUpdated": "2026-04-03T17:58:12.149Z"}, "containers": {"cna": {"title": "Rack: Multipart Boundary Parsing Ambiguity allowing WAF Bypass", "problemTypes": [{"descriptions": [{"cweId": "CWE-436", "lang": "en", "description": "CWE-436: Interpretation Conflict", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/rack/rack/security/advisories/GHSA-vgpv-f759-9wx3", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/rack/rack/security/advisories/GHSA-vgpv-f759-9wx3"}], "affected": [{"vendor": "rack", "product": "rack", "versions": [{"version": "< 2.2.23", "status": "affected"}, {"version": ">= 3.0.0.beta1, < 3.1.21", "status": "affected"}, {"version": ">= 3.2.0, < 3.2.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-02T16:42:16.766Z"}, "descriptions": [{"lang": "en", "value": "Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Multipart::Parser extracts the boundary parameter from multipart/form-data using a greedy regular expression. When a Content-Type header contains multiple boundary parameters, Rack selects the last one rather than the first. In deployments where an upstream proxy, WAF, or intermediary interprets the first boundary parameter, this mismatch can allow an attacker to smuggle multipart content past upstream inspection and have Rack parse a different body structure than the intermediary validated. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6."}], "source": {"advisory": "GHSA-vgpv-f759-9wx3", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-26961", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-03T17:57:50.290547Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T17:57:59.363Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:rack:rack:*:*:*:*:*:ruby:*:*", "matchCriteriaId": "AD5DE7DE-3A8B-4064-A7D5-1E117A101E81", "versionEndExcluding": "2.2.23", "vulnerable": true}, {"criteria": "cpe:2.3:a:rack:rack:*:*:*:*:*:ruby:*:*", "matchCriteriaId": "6948AAA6-873D-46BA-AA22-4C81138128E1", "versionEndExcluding": "3.1.21", "versionStartIncluding": "3.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:rack:rack:*:*:*:*:*:ruby:*:*", "matchCriteriaId": "3FB592AD-E826-49BE-AC6D-E5F55FDCC96E", "versionEndExcluding": "3.2.6", "versionStartIncluding": "3.2.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Multipart::Parser extracts the boundary parameter from multipart/form-data using a greedy regular expression. When a Content-Type header contains multiple boundary parameters, Rack selects the last one rather than the first. In deployments where an upstream proxy, WAF, or intermediary interprets the first boundary parameter, this mismatch can allow an attacker to smuggle multipart content past upstream inspection and have Rack parse a different body structure than the intermediary validated. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6."}], "id": "CVE-2026-26961", "lastModified": "2026-04-16T17:33:26.013", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-02T17:16:21.973", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/rack/rack/security/advisories/GHSA-vgpv-f759-9wx3"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-436"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "github.com/rack/rack: Rack: Content smuggling via multipart boundary parsing mismatch", "id": "2454483", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2454483"}, "csaw": false, "cvss3": {"cvss3_base_score": "3.7", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "status": "draft"}, "cwe": "CWE-444", "details": ["Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Multipart::Parser extracts the boundary parameter from multipart/form-data using a greedy regular expression. When a Content-Type header contains multiple boundary parameters, Rack selects the last one rather than the first. In deployments where an upstream proxy, WAF, or intermediary interprets the first boundary parameter, this mismatch can allow an attacker to smuggle multipart content past upstream inspection and have Rack parse a different body structure than the intermediary validated. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.", "A flaw was found in Rack, a modular Ruby web server interface. A remote attacker can exploit a vulnerability in Rack::Multipart::Parser by crafting a Content-Type header with multiple boundary parameters. This allows the attacker to bypass security inspections performed by upstream proxies or Web Application Firewalls (WAFs), leading to the Rack application processing different multipart content than what was validated by the intermediary. This content smuggling can enable unauthorized actions or data manipulation."], "name": "CVE-2026-26961", "package_state": [{"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Not affected", "package_name": "rubygem-rack", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Not affected", "package_name": "rubygem-rack-test", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Not affected", "package_name": "satellite-capsule:el8/rubygem-rack", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Not affected", "package_name": "satellite:el8/rubygem-rack-test", "product_name": "Red Hat Satellite 6"}], "public_date": "2026-04-02T16:42:16Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-26961\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-26961\nhttps://github.com/rack/rack/security/advisories/GHSA-vgpv-f759-9wx3"], "threat_severity": "Low"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.2.23)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.0.0.beta1,3.1.21)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.2.0,3.2.6)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "rack", "source": "cna", "vendor": "rack"}, "product": "rack", "vendor": "rack"}], "analysis": {"en": {"generated_at": "2026-04-04T04:37:02.498781+00:00", "value": {"mitigation_remediation": ["Upgrade Rack to at least version 2.2.23, 3.1.21, or 3.2.6 to apply the parser fix."], "summary": {"action": "Patch Immediately", "impact": "WAF bypass via multipart boundary mismatch"}, "threat_synthesis": {"affected_systems": "The issue affects the Rack Ruby web server interface. All versions earlier than 2.2.23, 3.1.21, and 3.2.6 are vulnerable. Deployments running these older releases are at risk until they are updated to the patched versions.", "description_and_impact": "Rack\u2019s multipart parser uses a greedy regular expression that extracts the boundary parameter from a Content\u2011Type header by selecting the last value rather than the first. This parsing flaw constitutes a boundary ambiguity weakness (CWE\u2011444) and an incorrect data extraction weakness (CWE\u2011436). When a request contains multiple boundary parameters, upstream proxies, Web Application Firewalls, or other intermediaries that interpret the first parameter may apply filtering logic based on that boundary, while Rack itself parses the request using the second parameter. The result is that malicious multipart payloads can slip past upstream inspection and be processed by the application, potentially exposing the system to data injection or other payload-based attacks.", "risk_and_exploitability": "The CVSS base score of 3.7 indicates a low severity vulnerability, and the EPSS score of less than 1% suggests a low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an attacker to send a specially crafted multipart/form\u2011data HTTP request that contains two boundary parameters; the WAF or proxy will use the first boundary while Rack will use the second, enabling the attacker to smuggle unwanted content past upstream controls."}}}}, "created": "2026-04-03T07:36:08.357144+00:00", "updated": "2026-04-07T07:56:01.810661+00:00", "vendors": ["rack", "rack$PRODUCT$rack"]}