CVE-2026-22860
Published: 18 February 2026
Summary
CVE-2026-22860 is a high-severity Path Traversal (CWE-22) vulnerability in Rack Rack. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Detects information exposure through directory listings as unauthorized disclosure.
Directory listings and resource enumeration can be suppressed or populated with misleading entries.
Reduces exposure via directory listings or accessible files when OPSEC restricts visibility of key organizational resources.
Validates pathnames and filenames to prevent traversal outside intended directories.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in public-facing Rack web component directly enables T1190 exploitation for unauthorized access; resulting directory listings enable T1083 File and Directory Discovery outside intended root.
NVD Description
Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5, `Rack::Directory`’s path check used a string prefix match on the expanded path. A request like `/../root_example/` can escape the configured root if the target path…
more
starts with the root string, allowing directory listing outside the intended root. Versions 2.2.22, 3.1.20, and 3.2.5 fix the issue.
Deeper analysisAI
CVE-2026-22860 is a path traversal vulnerability in Rack, a modular Ruby web server interface. The issue affects the `Rack::Directory` component in versions prior to 2.2.22, 3.1.20, and 3.2.5. It stems from a flawed path check that relies on a string prefix match on the expanded path, enabling attackers to bypass the configured root directory. For example, a request like `/../root_example/` can escape the root if the target path begins with the root string, resulting in unauthorized directory listings outside the intended scope. The vulnerability is rated 7.5 on the CVSS 3.1 scale (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and maps to CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and CWE-548 (Exposure of Information Through Directory Listing).
Remote attackers without authentication can exploit this vulnerability by sending specially crafted HTTP requests to a Rack application serving directory listings. Successful exploitation allows listing of directory contents beyond the configured root, potentially exposing sensitive files and information on the server filesystem. No user interaction is required, and the attack is straightforward due to low complexity and network accessibility.
The Rack security advisory (GHSA-mxw3-3hh2-x2mh) and the fixing commit (75c5745c286637a8f049a33790c71237762069e7) recommend upgrading to Rack versions 2.2.22, 3.1.20, or 3.2.5, which implement a corrected path normalization check to prevent root escapes.
Details
- CWE(s)