2454486 – (CVE-2026-34785) CVE-2026-34785 github.com/rack/rack: Rack: Information disclosure via incorrect static file serving prefix check

Bug 2454486 (CVE-2026-34785) - CVE-2026-34785 github.com/rack/rack: Rack: Information disclosure via incorrect static file serving prefix check

Summary: CVE-2026-34785 github.com/rack/rack: Rack: Information disclosure via incorre...

Keywords:
Status:	NEW
Alias:	CVE-2026-34785
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-04-02 18:01 UTC by OSIDB Bzimport
Modified:	2026-04-03 12:36 UTC (History)
CC List:	11 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-04-02 18:01:36 UTC

Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Static determines whether a request should be served as a static file using a simple string prefix check. When configured with URL prefixes such as "/css", it matches any request path that begins with that string, including unrelated paths such as "/css-config.env" or "/css-backup.sql". As a result, files under the static root whose names merely share the configured prefix may be served unintentionally, leading to information disclosure. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.

Note You need to log in before you can comment on or make changes to this bug.