{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34785", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-30T19:54:55.556Z", "datePublished": "2026-04-02T16:44:17.134Z", "dateUpdated": "2026-04-02T18:59:08.828Z"}, "containers": {"cna": {"title": "Rack: Local file inclusion in `Rack::Static` via URL Prefix Matching", "problemTypes": [{"descriptions": [{"cweId": "CWE-187", "lang": "en", "description": "CWE-187: Partial String Comparison", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/rack/rack/security/advisories/GHSA-h2jq-g4cq-5ppq", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/rack/rack/security/advisories/GHSA-h2jq-g4cq-5ppq"}], "affected": [{"vendor": "rack", "product": "rack", "versions": [{"version": "< 2.2.23", "status": "affected"}, {"version": ">= 3.0.0.beta1, < 3.1.21", "status": "affected"}, {"version": ">= 3.2.0, < 3.2.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-02T16:44:17.134Z"}, "descriptions": [{"lang": "en", "value": "Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Static determines whether a request should be served as a static file using a simple string prefix check. When configured with URL prefixes such as \"/css\", it matches any request path that begins with that string, including unrelated paths such as \"/css-config.env\" or \"/css-backup.sql\". As a result, files under the static root whose names merely share the configured prefix may be served unintentionally, leading to information disclosure. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6."}], "source": {"advisory": "GHSA-h2jq-g4cq-5ppq", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-02T18:58:57.726888Z", "id": "CVE-2026-34785", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T18:59:08.828Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34785", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-02T18:58:57.726888Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T18:59:03.674Z"}}], "cna": {"title": "Rack: Local file inclusion in `Rack::Static` via URL Prefix Matching", "source": {"advisory": "GHSA-h2jq-g4cq-5ppq", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "rack", "product": "rack", "versions": [{"status": "affected", "version": "< 2.2.23"}, {"status": "affected", "version": ">= 3.0.0.beta1, < 3.1.21"}, {"status": "affected", "version": ">= 3.2.0, < 3.2.6"}]}], "references": [{"url": "https://github.com/rack/rack/security/advisories/GHSA-h2jq-g4cq-5ppq", "name": "https://github.com/rack/rack/security/advisories/GHSA-h2jq-g4cq-5ppq", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Static determines whether a request should be served as a static file using a simple string prefix check. When configured with URL prefixes such as \"/css\", it matches any request path that begins with that string, including unrelated paths such as \"/css-config.env\" or \"/css-backup.sql\". As a result, files under the static root whose names merely share the configured prefix may be served unintentionally, leading to information disclosure. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-187", "description": "CWE-187: Partial String Comparison"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-02T16:44:17.134Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34785", "state": "PUBLISHED", "dateUpdated": "2026-04-02T18:59:08.828Z", "dateReserved": "2026-03-30T19:54:55.556Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-02T16:44:17.134Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:rack:rack:*:*:*:*:*:ruby:*:*", "matchCriteriaId": "AD5DE7DE-3A8B-4064-A7D5-1E117A101E81", "versionEndExcluding": "2.2.23", "vulnerable": true}, {"criteria": "cpe:2.3:a:rack:rack:*:*:*:*:*:ruby:*:*", "matchCriteriaId": "6948AAA6-873D-46BA-AA22-4C81138128E1", "versionEndExcluding": "3.1.21", "versionStartIncluding": "3.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:rack:rack:*:*:*:*:*:ruby:*:*", "matchCriteriaId": "3FB592AD-E826-49BE-AC6D-E5F55FDCC96E", "versionEndExcluding": "3.2.6", "versionStartIncluding": "3.2.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Static determines whether a request should be served as a static file using a simple string prefix check. When configured with URL prefixes such as \"/css\", it matches any request path that begins with that string, including unrelated paths such as \"/css-config.env\" or \"/css-backup.sql\". As a result, files under the static root whose names merely share the configured prefix may be served unintentionally, leading to information disclosure. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6."}], "id": "CVE-2026-34785", "lastModified": "2026-04-16T17:19:35.290", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-02T17:16:24.873", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/rack/rack/security/advisories/GHSA-h2jq-g4cq-5ppq"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-187"}, {"lang": "en", "value": "CWE-200"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "github.com/rack/rack: Rack: Information disclosure via incorrect static file serving prefix check", "id": "2454486", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2454486"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "status": "draft"}, "cwe": "CWE-552", "details": ["Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Static determines whether a request should be served as a static file using a simple string prefix check. When configured with URL prefixes such as \"/css\", it matches any request path that begins with that string, including unrelated paths such as \"/css-config.env\" or \"/css-backup.sql\". As a result, files under the static root whose names merely share the configured prefix may be served unintentionally, leading to information disclosure. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.", "A flaw was found in Rack. The `Rack::Static` component, which serves static files for web applications, uses a simple string prefix check to determine if a request should be served as a static file. This can lead to unintended information disclosure, as files with names that merely share a configured URL prefix (e.g., \"/css\" matching \"/css-config.env\") may be served unintentionally to a remote attacker."], "name": "CVE-2026-34785", "package_state": [{"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Not affected", "package_name": "rubygem-rack", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Not affected", "package_name": "rubygem-rack-test", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Not affected", "package_name": "satellite-capsule:el8/rubygem-rack", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Not affected", "package_name": "satellite:el8/rubygem-rack-test", "product_name": "Red Hat Satellite 6"}], "public_date": "2026-04-02T16:44:17Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-34785\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-34785\nhttps://github.com/rack/rack/security/advisories/GHSA-h2jq-g4cq-5ppq"], "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.2.23)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[3.0.0.beta1,3.1.21)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.2.0,3.2.6)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "rack", "source": "cna", "vendor": "rack"}, "product": "rack", "vendor": "rack"}], "analysis": {"en": {"generated_at": "2026-04-04T03:58:05.290138+00:00", "value": {"mitigation_remediation": ["Upgrade rack to version 2.2.23, 3.1.21, or 3.2.6 or newer to eliminate the insecure prefix matching logic.", "Reconfigure static file prefixes to match only intended paths and avoid naming collisions with important files.", "Verify that the updated application does not serve unintended files by testing common sensitive paths after the patch."], "summary": {"action": "Immediate Patch", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Rack framework, specifically the rack:rack library. Versions prior to 2.2.23, 3.1.21, and 3.2.6 are impacted; updating to these patched releases removes the insecure prefix matching behavior.", "description_and_impact": "Rack::Static determines whether a URL should be served by checking only the string prefix of the request path against a configured prefix. Because it does not confirm that the matched path refers to an existing file, requests such as \"/css-config.env\" or \"/css-backup.sql\" can cause Rack to expose any file whose name starts with the prefix, allowing an attacker to read sensitive data or configuration files.", "risk_and_exploitability": "The CVSS score of 7.5 signals a high severity, yet the EPSS score below 1% indicates that exploitation is unlikely at present, and this vulnerability is not listed in CISA's KEV catalog. The likely attack vector is a crafted HTTP GET request that uses a known static prefix but points to a sensitive file; based on the description, it is inferred that such a request would cause Rack to serve the file and disclose its contents. No special privileges are required for the attacker to perform this action."}}}}, "created": "2026-04-03T07:36:05.405491+00:00", "updated": "2026-04-07T07:55:59.279778+00:00", "vendors": ["rack", "rack$PRODUCT$rack"]}