CVE-2026-34786: CVE-2026-34786: Security Header Bypass in Rack::Static via Path Canonicalization Flaw

CVE-2026-34786: Security Header Bypass in Rack::Static via Path Canonicalization Flaw

Vulnerability ID: CVE-2026-34786
CVSS Score: 5.3
Published: 2026-04-02

A canonicalization vulnerability in the Rack Ruby gem's Rack::Static middleware allows attackers to bypass security header rules. By supplying URL-encoded paths, an attacker can evade pattern-matching logic while still retrieving the targeted static files.

TL;DR

Rack::Static evaluates security header rules against raw URL paths before decoding them. Requesting an encoded file extension (e.g., %2ejs) bypasses header rules (like CSP) while still serving the requested file.

---

Technical Details

• CWE ID: CWE-180
• CVSS Score: 5.3
• Attack Vector: Network
• Impact: Security Header Bypass
• Exploit Status: None
• CISA KEV: False

Affected Systems

• Ruby Rack applications utilizing the Rack::Static middleware
• Rack (Ruby Gem): < 2.2.23 (Fixed in: 2.2.23)
• Rack (Ruby Gem): >= 3.0.0.beta1, < 3.1.21 (Fixed in: 3.1.21)
• Rack (Ruby Gem): >= 3.2.0, < 3.2.6 (Fixed in: 3.2.6)

Mitigation Strategies

• Upgrade Rack gem to a patched version (2.2.23, 3.1.21, or 3.2.6).
• Implement reverse proxy rules (Nginx/Apache) to block URL-encoded dots or slashes in static asset paths.

Remediation Steps:

1. Identify projects utilizing the Rack gem and check the current version.
2. Update the Gemfile to specify Rack versions 2.2.23, 3.1.21, or 3.2.6.
3. Run 'bundle update rack' to apply the new version.
4. Verify the fix by requesting a URL-encoded static asset and checking for the presence of intended security headers.

References

• GHSA-q4qf-9j86-f5mh: Rack::Static canonicalization flaw

---

Read the full report for CVE-2026-34786 on our website for more details including interactive diagrams and full exploit analysis.