CVE-2026-34785

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-34785
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-34785.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-34785
Aliases
Downstream
Related
Published
2026-04-02T16:44:17.134Z
Modified
2026-04-13T04:27:53.384165Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
Rack: Local file inclusion in `Rack::Static` via URL Prefix Matching
Details

Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Static determines whether a request should be served as a static file using a simple string prefix check. When configured with URL prefixes such as "/css", it matches any request path that begins with that string, including unrelated paths such as "/css-config.env" or "/css-backup.sql". As a result, files under the static root whose names merely share the configured prefix may be served unintentionally, leading to information disclosure. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.

Database specific 
{
    "cwe_ids": [
        "CWE-187",
        "CWE-200"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/34xxx/CVE-2026-34785.json",
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/rack/rack

Affected ranges

Type
GIT
Repo
https://github.com/rack/rack
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
f2af0c8f869193fa7bb7d20b619b3003418e1055
Introduced
572a42a705b423ce98ef4e81435d4f60fb0ae53d
Fixed
ae8431120e66e92d1885ab8ec0a553d9cad5ec13
Introduced
b68251c03788ff39d4a4b25424df7360426e4afd
Fixed
e1f22fdbe99afd2126b6fbf05bb12399359574b7
Database specific 
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.2.23"
        },
        {
            "introduced": "3.0.0.beta1"
        },
        {
            "fixed": "3.1.21"
        },
        {
            "introduced": "3.2.0"
        },
        {
            "fixed": "3.2.6"
        }
    ],
    "source": "AFFECTED_FIELD"
}

Affected versions

0.*
0.1
0.2
0.3
1.*
1.0
1.3.0
1.3.0.beta
1.3.0.beta2
1.4.0
1.4.1
1.5.0
1.5.1
1.6.0.beta
2.*
2.0.0
2.0.0.alpha
2.0.0.rc1
2.0.1
2.1.0
2.2.0
2.2.3
2.2.4
3.*
3.0.0
3.0.0.beta1
3.0.0.rc1
v2.*
v2.2.1
v2.2.10
v2.2.11
v2.2.12
v2.2.13
v2.2.14
v2.2.15
v2.2.16
v2.2.17
v2.2.18
v2.2.19
v2.2.2
v2.2.20
v2.2.21
v2.2.22
v2.2.5
v2.2.6
v2.2.6.1
v2.2.6.2
v2.2.7
v2.2.8
v2.2.9
v3.*
v3.1.0
v3.1.10
v3.1.11
v3.1.12
v3.1.13
v3.1.14
v3.1.15
v3.1.16
v3.1.17
v3.1.18
v3.1.19
v3.1.2
v3.1.20
v3.1.3
v3.1.4
v3.1.5
v3.1.6
v3.1.7
v3.1.8
v3.1.9
v3.2.0
v3.2.1
v3.2.2
v3.2.3
v3.2.4
v3.2.5

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-34785.json"