DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-26962: CVE-2026-26962: CRLF Injection in Rack Multipart Parser via Obsolete Line Folding

#security #cve #cybersecurity

CVE-2026-26962: CRLF Injection in Rack Multipart Parser via Obsolete Line Folding

Vulnerability ID: CVE-2026-26962
CVSS Score: 4.8
Published: 2026-04-02

The Rack modular Ruby web server interface contains an Improper Neutralization of CRLF Sequences vulnerability in its Rack::Multipart::Parser component. The parser fails to unfold obsolete line folding (obs-fold) sequences in multipart headers. Applications reflecting these unsanitized multipart variables into response headers are susceptible to HTTP Response Splitting attacks.

TL;DR

Rack's multipart parser fails to strip CRLF sequences from folded headers, allowing attackers to inject new HTTP headers if the application reflects parsed multipart metadata.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-93
  • Attack Vector: Network
  • CVSS Score: 4.8
  • Impact: HTTP Response Splitting / CRLF Injection
  • Exploit Status: Proof of Concept
  • CISA KEV: False

Affected Systems

  • Ruby applications utilizing the Rack web server interface versions >= 3.2.0 and < 3.2.6
  • Frameworks dependent on Rack for multipart parsing (e.g., Rails, Sinatra, Hanami)
  • rack: >= 3.2.0, < 3.2.6 (Fixed in: 3.2.6)

Code Analysis

Commit: d50c4d3

Fix for CRLF injection in multipart parser via obsolete line folding.

OBS_UNFOLD = /\r\n([ \t])/
...
content_type.gsub!(OBS_UNFOLD, '\1') if content_type
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Technical Advisory PoC: Proof of concept demonstrating HTTP request containing an obs-fold payload to inject CRLF characters into the filename variable.

Mitigation Strategies

  • Upgrade the Rack gem to a patched version (>= 3.2.6).
  • Sanitize all multipart metadata (e.g., filename, name) before reflecting it in HTTP response headers.
  • Deploy WAF rules to detect and drop multipart HTTP headers containing obsolete folding patterns.

Remediation Steps:

  1. Identify all projects utilizing the 'rack' gem.
  2. Update the Gemfile to specify 'gem "rack", ">= 3.2.6"'.
  3. Execute 'bundle update rack' to install the patched version.
  4. Review application source code for direct reflection of 'params[:file][:filename]' or similar attributes into response headers.
  5. Implement sanitization logic to strip \r and \n characters prior to header assignment if updating is delayed.

References

Read the full report for CVE-2026-26962 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)