CVE-2026-34830

Medium

Published: 02 April 2026

Published

02 April 2026

Modified

16 April 2026

KEV Added

—

Patch

—

CVSS Score 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Score 0.0005 14.3th percentile

Risk Priority 12 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-34830 is a medium-severity Permissive Regular Expression (CWE-625) vulnerability in Rack Rack. Its CVSS base score is 5.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the CVE by requiring timely remediation of the known flaw in Rack::Sendfile through patching to versions 2.2.23, 3.1.21, or 3.2.6 that properly escape the X-Accel-Mapping header.

SI-10 Information Input Validation good match

prevent

Requires validation of the X-Accel-Mapping request header to block regex metacharacter injection before interpolation into the regular expression for path rewriting.

SI-15 Information Output Filtering partial match

prevent

Filters the generated X-Accel-Redirect response header to ensure only valid file paths are served by nginx, preventing disclosure of unintended internal files.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1005 Data from Local System Collection

Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.

attack.mitre.org →

Why these techniques?

Vulnerability in public-facing Rack component enables remote exploitation of web server (T1190) resulting in unauthorized disclosure of files/data from the local system via manipulated X-Accel-Redirect serving (T1005).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Sendfile#map_accel_path interpolates the value of the X-Accel-Mapping request header directly into a regular expression when rewriting file paths for X-Accel-Redirect. Because the header value is…

not escaped, an attacker who can supply X-Accel-Mapping to the backend can inject regex metacharacters and control the generated X-Accel-Redirect response header. In deployments using Rack::Sendfile with x-accel-redirect, this can allow an attacker to cause nginx to serve unintended files from configured internal locations. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.

Deeper analysisAI

CVE-2026-34830 is a vulnerability in Rack, a modular Ruby web server interface, affecting versions prior to 2.2.23, 3.1.21, and 3.2.6. The issue resides in the Rack::Sendfile#map_accel_path method, which directly interpolates the value of the X-Accel-Mapping request header into a regular expression during file path rewriting for X-Accel-Redirect responses. Due to the lack of escaping, this enables regex metacharacter injection, allowing manipulation of the generated X-Accel-Redirect header.

An attacker who can supply the X-Accel-Mapping header to the backend application—typically remotely over the network without privileges—can exploit this with high attack complexity to inject regex metacharacters and control the X-Accel-Redirect response. In deployments configured with Rack::Sendfile and x-accel-redirect alongside nginx, this results in nginx serving unintended files from internal locations, leading to unauthorized data disclosure. The vulnerability has a CVSS v3.1 base score of 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) and is classified under CWE-625 (Permissible Value).

The vulnerability has been addressed in Rack versions 2.2.23, 3.1.21, and 3.2.6. Additional details on the patch and remediation are available in the GitHub security advisory at https://github.com/rack/rack/security/advisories/GHSA-qv7j-4883-hwh7.

Details

CWE(s): CWE-625

Affected Products

rack

≤ 2.2.23 · 3.0.0 — 3.1.21 · 3.2.0 — 3.2.6

CVEs Like This One

CVE-2025-27610Same product: Rack Rack

CVE-2026-34785Same product: Rack Rack

CVE-2026-22860Same product: Rack Rack

CVE-2026-34829Same product: Rack Rack

CVE-2026-34826Same product: Rack Rack

CVE-2025-27111Same product: Rack Rack

CVE-2026-34827Same product: Rack Rack

CVE-2026-34230Same product: Rack Rack

CVE-2026-39324Same vendor: Rack

CVE-2026-32973Shared CWE-625

References

https://github.com/rack/rack/security/advisories/GHSA-qv7j-4883-hwh7
Vendor Advisory · security-advisories@github.com