CVE-2026-34835

EUVD-2026-18478

02.04.2026, 18:16

Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 to before 3.1.21, and 3.2.0 to before 3.2.6, Rack::Request parses the Host header using an AUTHORITY regular expression that accepts characters not permitted in RFC-compliant hostnames, including /, ?, #, and @. Because req.host returns the full parsed value, applications that validate hosts using naive prefix or suffix checks can be bypassed. This can lead to host header poisoning in applications that use req.host, req.url, or req.base_url for link generation, redirects, or origin validation. This issue has been patched in versions 3.1.21 and 3.2.6.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	4.8 MEDIUM	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 35%

Affected Products (NVD)

Vendor	Product	Version
rack	rack	3.0.0 ≤ 𝑥 < 3.1.21
rack	rack	3.2.0 ≤ 𝑥 < 3.2.6

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

ruby-rack

bookworm	vulnerable
bookworm (security)	vulnerable
bullseye	vulnerable
bullseye (security)	vulnerable
forky	3.2.6-2 fixed
sid	3.2.6-2 fixed
trixie	vulnerable
trixie (security)	vulnerable

Known Exploits!

https://github.com/rack/rack/security/advisories/GHSA-g2pf-xv49-m2h5

Common Weakness Enumeration

CWE-1286 - Improper Validation of Syntactic Correctness of Input
The product receives input that is expected to be well-formed - i.e., to comply with a certain syntax - but it does not validate or incorrectly validates that the input complies with the syntax.

References

https://github.com/rack/rack/security/advisories/GHSA-g2pf-xv49-m2h5