Bug 2454486 (CVE-2026-34785)

Summary: CVE-2026-34785 github.com/rack/rack: Rack: Information disclosure via incorrect static file serving prefix check
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: anthomas, ehelms, ggainey, juwatts, mhulan, nmoumoul, osousa, pcreech, rchan, smallamp, tmalecek
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in Rack. The `Rack::Static` component, which serves static files for web applications, uses a simple string prefix check to determine if a request should be served as a static file. This can lead to unintended information disclosure, as files with names that merely share a configured URL prefix (e.g., "/css" matching "/css-config.env") may be served unintentionally to a remote attacker.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-04-02 18:01:36 UTC 
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Static determines whether a request should be served as a static file using a simple string prefix check. When configured with URL prefixes such as "/css", it matches any request path that begins with that string, including unrelated paths such as "/css-config.env" or "/css-backup.sql". As a result, files under the static root whose names merely share the configured prefix may be served unintentionally, leading to information disclosure. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.