Rack up to 2.2.22/3.1.20/3.2.5 Regular Expression Rack::Sendfile X-Accel-Mapping permissive regular expression

Summaryinfo

A vulnerability was found in Rack up to 2.2.22/3.1.20/3.2.5. It has been rated as problematic. Affected by this issue is the function Rack::Sendfile of the component Regular Expression Handler. This manipulation of the argument X-Accel-Mapping causes permissive regular expression. The identification of this vulnerability is CVE-2026-34830. It is possible to initiate the attack remotely. There is no exploit available. Upgrading the affected component is advised.

Detailsinfo

A vulnerability was found in Rack up to 2.2.22/3.1.20/3.2.5. It has been declared as problematic. Affected by this vulnerability is the function Rack::Sendfile of the component Regular Expression Handler. The manipulation of the argument X-Accel-Mapping with an unknown input leads to a permissive regular expression vulnerability. The CWE definition for the vulnerability is CWE-625. The product uses a regular expression that does not sufficiently restrict the set of allowed values. As an impact it is known to affect confidentiality. The summary by CVE is:

Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Sendfile#map_accel_path interpolates the value of the X-Accel-Mapping request header directly into a regular expression when rewriting file paths for X-Accel-Redirect. Because the header value is not escaped, an attacker who can supply X-Accel-Mapping to the backend can inject regex metacharacters and control the generated X-Accel-Redirect response header. In deployments using Rack::Sendfile with x-accel-redirect, this can allow an attacker to cause nginx to serve unintended files from configured internal locations. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.

The advisory is shared at github.com. This vulnerability is known as CVE-2026-34830 since 03/30/2026. The exploitation appears to be difficult. The attack can be launched remotely. The exploitation doesn't need any form of authentication. Technical details are known, but no exploit is available.

Upgrading to version 2.2.23, 3.1.21 or 3.2.6 eliminates this vulnerability.

The vulnerability is also documented in the vulnerability database at EUVD (EUVD-2026-18390). If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Productinfo

Name

• Rack

Version

• 2.2.0
• 2.2.1
• 2.2.2
• 2.2.3
• 2.2.4
• 2.2.5
• 2.2.6
• 2.2.7
• 2.2.8
• 2.2.9
• 2.2.10
• 2.2.11
• 2.2.12
• 2.2.13
• 2.2.14
• 2.2.15
• 2.2.16
• 2.2.17
• 2.2.18
• 2.2.19
• 2.2.20
• 2.2.21
• 2.2.22
• 3.1.0
• 3.1.1
• 3.1.2
• 3.1.3
• 3.1.4
• 3.1.5
• 3.1.6
• 3.1.7
• 3.1.8
• 3.1.9
• 3.1.10
• 3.1.11
• 3.1.12
• 3.1.13
• 3.1.14
• 3.1.15
• 3.1.16
• 3.1.17
• 3.1.18
• 3.1.19
• 3.1.20
• 3.2.0
• 3.2.1
• 3.2.2
• 3.2.3
• 3.2.4
• 3.2.5

Website

• Product: https://github.com/rack/rack/

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Discussion