CVE-2026-7381
Published: 29 April 2026
Summary
CVE-2026-7381 is a critical-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Miyagawa Plack\. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 35.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-7381 affects Plack::Middleware::XSendfile versions through 1.0053 for Perl, enabling client-controlled path rewriting. The middleware allows the sendfile type variation to be set by clients via the X-Sendfile-Type header if it is not configured in the middleware constructor or Plack environment. This vulnerability is associated with CWE-200 (Exposure of Sensitive Information), CWE-441 (Unintended Proxy or Intermediary), and CWE-913 (Improper Control of Dynamically-Identified Variables), earning a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).
Remote unauthenticated attackers can exploit this by setting the X-Sendfile-Type header to "X-Accel-Redirect" in services behind nginx reverse proxies, then using the X-Accel-Mapping header to redirect paths to arbitrary files on the server, potentially disclosing or manipulating sensitive data.
Advisories note that Plack::Middleware::XSendfile has been deprecated since version 1.0053 and will be removed from future Plack releases. It includes mitigations disallowing regular expressions in mappings and restricting mappings to the "X-Accel-Redirect" type only. Relevant references include the Plack 1.0053 changes and deprecation notice on MetaCPAN, as well as NVD details for the similar CVE-2025-61780 in Rack::Sendfile.
This vulnerability shares mechanics with CVE-2025-61780 but incorporates the noted mitigations.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-26296
Vulnerability details
Plack::Middleware::XSendfile versions through 1.0053 for Perl can allow client-controlled path rewriting. Plack::Middleware::XSendfile allows the variation setting (sendfile type) to be set by the client via the X-Sendfile-Type header, if it is not considered in the middleware constructor or the Plack…
more
environment. A malicious client can set the X-Sendfile-Type header to "X-Accel-Redirect" to services running behind nginx reverse proxies, and then set the X-Accel-Mapping to map the path to an arbitrary file on the server. Since 1.0053, Plack::Middleware::XSendfile is deprecated and will be removed from future releases of Plack. This is similar to CVE-2025-61780 for Rack::Sendfile, although Plack::Middleware::XSendfile has some mitigations that disallow regular expressions to be used in the mapping, and only apply the mapping for the "X-Accel-Redirect" type.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing Plack middleware enables remote unauthenticated exploitation for arbitrary file access on the server (T1190), directly facilitating collection of sensitive data from the local filesystem (T1005).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the flaw in vulnerable Plack::Middleware::XSendfile versions through 1.0053 by updating or removing the deprecated middleware.
Validates client-supplied headers like X-Sendfile-Type and X-Accel-Mapping to block path rewriting to arbitrary server files.
Configures middleware sendfile type in the constructor or Plack environment to prevent client override via headers.