CVE-2026-22860
Published: 18 February 2026
Summary
CVE-2026-22860 is a high-severity Path Traversal (CWE-22) vulnerability in Rack Rack. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 31.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-22860 is a path traversal vulnerability in Rack, a modular Ruby web server interface. The issue affects the `Rack::Directory` component in versions prior to 2.2.22, 3.1.20, and 3.2.5. It stems from a flawed path check that relies on a string prefix match on the expanded path, enabling attackers to bypass the configured root directory. For example, a request like `/../root_example/` can escape the root if the target path begins with the root string, resulting in unauthorized directory listings outside the intended scope. The vulnerability is rated 7.5 on the CVSS 3.1 scale (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and maps to CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and CWE-548 (Exposure of Information Through Directory Listing).
Remote attackers without authentication can exploit this vulnerability by sending specially crafted HTTP requests to a Rack application serving directory listings. Successful exploitation allows listing of directory contents beyond the configured root, potentially exposing sensitive files and information on the server filesystem. No user interaction is required, and the attack is straightforward due to low complexity and network accessibility.
The Rack security advisory (GHSA-mxw3-3hh2-x2mh) and the fixing commit (75c5745c286637a8f049a33790c71237762069e7) recommend upgrading to Rack versions 2.2.22, 3.1.20, or 3.2.5, which implement a corrected path normalization check to prevent root escapes.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-7914
Vulnerability details
Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5, `Rack::Directory`’s path check used a string prefix match on the expanded path. A request like `/../root_example/` can escape the configured root if the target path…
more
starts with the root string, allowing directory listing outside the intended root. Versions 2.2.22, 3.1.20, and 3.2.5 fix the issue.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in public-facing Rack web component directly enables T1190 exploitation for unauthorized access; resulting directory listings enable T1083 File and Directory Discovery outside intended root.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Timely patching of vulnerable Rack versions implements corrected path normalization to directly remediate the path traversal flaw in Rack::Directory.
Validates user-supplied path inputs against traversal patterns like '/../root_example/' to prevent bypassing the configured root directory.
Restricts directory listing functionality to essential paths only, reducing exposure to unauthorized listings outside the intended root even if path checks fail.