CVE-2026-7381
Published: 29 April 2026
Summary
CVE-2026-7381 is a critical-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Miyagawa Plack\. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 1.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the flaw in vulnerable Plack::Middleware::XSendfile versions through 1.0053 by updating or removing the deprecated middleware.
Validates client-supplied headers like X-Sendfile-Type and X-Accel-Mapping to block path rewriting to arbitrary server files.
Configures middleware sendfile type in the constructor or Plack environment to prevent client override via headers.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing Plack middleware enables remote unauthenticated exploitation for arbitrary file access on the server (T1190), directly facilitating collection of sensitive data from the local filesystem (T1005).
NVD Description
Plack::Middleware::XSendfile versions through 1.0053 for Perl can allow client-controlled path rewriting. Plack::Middleware::XSendfile allows the variation setting (sendfile type) to be set by the client via the X-Sendfile-Type header, if it is not considered in the middleware constructor or the Plack…
more
environment. A malicious client can set the X-Sendfile-Type header to "X-Accel-Redirect" to services running behind nginx reverse proxies, and then set the X-Accel-Mapping to map the path to an arbitrary file on the server. Since 1.0053, Plack::Middleware::XSendfile is deprecated and will be removed from future releases of Plack. This is similar to CVE-2025-61780 for Rack::Sendfile, although Plack::Middleware::XSendfile has some mitigations that disallow regular expressions to be used in the mapping, and only apply the mapping for the "X-Accel-Redirect" type.
Deeper analysisAI
CVE-2026-7381 affects Plack::Middleware::XSendfile versions through 1.0053 for Perl, enabling client-controlled path rewriting. The middleware allows the sendfile type variation to be set by clients via the X-Sendfile-Type header if it is not configured in the middleware constructor or Plack environment. This vulnerability is associated with CWE-200 (Exposure of Sensitive Information), CWE-441 (Unintended Proxy or Intermediary), and CWE-913 (Improper Control of Dynamically-Identified Variables), earning a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).
Remote unauthenticated attackers can exploit this by setting the X-Sendfile-Type header to "X-Accel-Redirect" in services behind nginx reverse proxies, then using the X-Accel-Mapping header to redirect paths to arbitrary files on the server, potentially disclosing or manipulating sensitive data.
Advisories note that Plack::Middleware::XSendfile has been deprecated since version 1.0053 and will be removed from future Plack releases. It includes mitigations disallowing regular expressions in mappings and restricting mappings to the "X-Accel-Redirect" type only. Relevant references include the Plack 1.0053 changes and deprecation notice on MetaCPAN, as well as NVD details for the similar CVE-2025-61780 in Rack::Sendfile.
This vulnerability shares mechanics with CVE-2025-61780 but incorporates the noted mitigations.
Details
- CWE(s)