CVE-2026-34830

NameCVE-2026-34830
DescriptionRack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Sendfile#map_accel_path interpolates the value of the X-Accel-Mapping request header directly into a regular expression when rewriting file paths for X-Accel-Redirect. Because the header value is not escaped, an attacker who can supply X-Accel-Mapping to the backend can inject regex metacharacters and control the generated X-Accel-Redirect response header. In deployments using Rack::Sendfile with x-accel-redirect, this can allow an attacker to cause nginx to serve unintended files from configured internal locations. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ruby-rack (PTS)bullseye2.1.4-3+deb11u2vulnerable
bullseye (security)2.1.4-3+deb11u5vulnerable
bookworm2.2.20-0+deb12u1vulnerable
bookworm (security)2.2.22-0+deb12u1vulnerable
trixie3.1.18-1~deb13u1vulnerable
trixie (security)3.1.20-0+deb13u1vulnerable
forky3.1.18-1vulnerable
sid3.2.5-2vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
ruby-racksourceexperimental3.2.6-1
ruby-racksource(unstable)(unfixed)

Notes

https://github.com/rack/rack/security/advisories/GHSA-qv7j-4883-hwh7
Fixed by: https://github.com/rack/rack/commit/a57bc140247f904dc1e3302badedcb73645072c7 (v3.2.6)
Fixed by: https://github.com/rack/rack/commit/59a0966a484f2903833fa3e4c81919d3c645738d (v3.1.21)
Fixed by: https://github.com/rack/rack/commit/7f288de93768b5cc44a5f4ed1ac02470d8fe52f4 (v2.2.23)
Search for package or bug name: Reporting problems