2454483 – (CVE-2026-26961) CVE-2026-26961 github.com/rack/rack: Rack: Content smuggling via multipart boundary parsing mismatch

Bug 2454483 (CVE-2026-26961) - CVE-2026-26961 github.com/rack/rack: Rack: Content smuggling via multipart boundary parsing mismatch

Summary: CVE-2026-26961 github.com/rack/rack: Rack: Content smuggling via multipart bo...

Keywords:
Status:	NEW
Alias:	CVE-2026-26961
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-04-02 18:01 UTC by OSIDB Bzimport
Modified:	2026-04-03 12:25 UTC (History)
CC List:	11 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-04-02 18:01:25 UTC

Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Multipart::Parser extracts the boundary parameter from multipart/form-data using a greedy regular expression. When a Content-Type header contains multiple boundary parameters, Rack selects the last one rather than the first. In deployments where an upstream proxy, WAF, or intermediary interprets the first boundary parameter, this mismatch can allow an attacker to smuggle multipart content past upstream inspection and have Rack parse a different body structure than the intermediary validated. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.

Note You need to log in before you can comment on or make changes to this bug.