CVE-2026-34785
Published: 02 April 2026
Summary
CVE-2026-34785 is a high-severity Partial String Comparison (CWE-187) vulnerability in Rack Rack. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the CVE by requiring timely remediation of the flawed string prefix check in Rack::Static through patching to fixed versions 2.2.23, 3.1.21, or 3.2.6.
Enforces approved access authorizations to prevent unauthorized disclosure of sensitive files under the static root via improperly matched URL prefixes like '/css-config.env'.
Validates HTTP request paths to ensure only intended static files are served, countering the partial prefix evaluation that exposes unrelated sensitive files.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows unauthenticated remote attackers to exploit a public-facing web application (Rack::Static) via crafted HTTP requests to disclose sensitive local files, directly enabling T1190.
NVD Description
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Static determines whether a request should be served as a static file using a simple string prefix check. When configured with URL prefixes such as…
more
"/css", it matches any request path that begins with that string, including unrelated paths such as "/css-config.env" or "/css-backup.sql". As a result, files under the static root whose names merely share the configured prefix may be served unintentionally, leading to information disclosure. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.
Deeper analysisAI
CVE-2026-34785 is a vulnerability in Rack, a modular Ruby web server interface, specifically affecting the Rack::Static component in versions prior to 2.2.23, 3.1.21, and 3.2.6. Rack::Static uses a simple string prefix check to determine whether a request should be served as a static file. When configured with URL prefixes such as "/css", this check matches any request path beginning with that string, including unrelated paths like "/css-config.env" or "/css-backup.sql". As a result, files under the static root whose names share the configured prefix may be served unintentionally, leading to information disclosure.
Unauthenticated remote attackers can exploit this vulnerability by sending crafted HTTP requests to paths that match the configured prefix but target sensitive files in the static root directory. Successful exploitation requires network access and low complexity, with no privileges or user interaction needed. The CVSS v3.1 base score is 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with no integrity or availability disruption. The issue maps to CWE-187 (Partial Evaluation of Regular Expression) and CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor).
The vulnerability has been patched in Rack versions 2.2.23, 3.1.21, and 3.2.6. Security practitioners should upgrade to these fixed releases. Additional details are available in the GitHub security advisory at https://github.com/rack/rack/security/advisories/GHSA-h2jq-g4cq-5ppq.
Details
- CWE(s)