CVE-2026-26962

NameCVE-2026-26962
DescriptionRack is a modular Ruby web server interface. From version 3.2.0 to before version 3.2.6, Rack::Multipart::Parser unfolds folded multipart part headers incorrectly. When a multipart header contains an obs-fold sequence, Rack preserves the embedded CRLF in parsed parameter values such as filename or name instead of removing the folded line break during unfolding. As a result, applications that later reuse those parsed values in HTTP response headers may be vulnerable to downstream header injection or response splitting. This issue has been patched in version 3.2.6.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ruby-rack (PTS)bullseye2.1.4-3+deb11u2vulnerable
bullseye (security)2.1.4-3+deb11u5vulnerable
bookworm2.2.20-0+deb12u1vulnerable
bookworm (security)2.2.22-0+deb12u1vulnerable
trixie3.1.18-1~deb13u1vulnerable
trixie (security)3.1.20-0+deb13u1vulnerable
forky3.1.18-1vulnerable
sid3.2.5-2vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
ruby-racksourceexperimental3.2.6-1
ruby-racksource(unstable)(unfixed)

Notes

https://github.com/rack/rack/security/advisories/GHSA-rx22-g9mx-qrhv
Fixed by: https://github.com/rack/rack/commit/d50c4d3dab62fa80b2a276271d0d4fb338cfa7df (v3.2.6)
Search for package or bug name: Reporting problems