CVE-2026-22860
Received Received - Intake
Directory Traversal in Rack::Directory Allows Unauthorized Directory Access

Publication date: 2026-02-18

Last updated on: 2026-02-19

Assigner: GitHub, Inc.

Description
Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5, `Rack::Directory`’s path check used a string prefix match on the expanded path. A request like `/../root_example/` can escape the configured root if the target path starts with the root string, allowing directory listing outside the intended root. Versions 2.2.22, 3.1.20, and 3.2.5 fix the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-18
Last Modified
2026-02-19
Generated
2026-06-16
AI Q&A
2026-02-18
EPSS Evaluated
2026-06-15
NVD
CVE-2026-22860
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
rack rack to 2.2.22 (exc)
rack rack From 3.0.0 (inc) to 3.1.20 (exc)
rack rack From 3.2.0 (inc) to 3.2.5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-548 The product inappropriately exposes a directory listing with an index of all the resources located inside of the directory.
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-22860 is a directory traversal vulnerability in the Rack::Directory component of the Rack Ruby web server interface. The vulnerability occurs because the path validation uses a string prefix match on the expanded file path, which can be bypassed if a directory outside the intended root shares the same prefix as the root directory.

For example, if the server root is set to a directory like /var/www/root, a path such as /../root_backup/ can escape the root directory and allow access to files or directories outside the intended root. This happens because the check only verifies if the expanded path starts with the root string, not if it is strictly inside the root directory.

The vulnerability allows an attacker to list directories and access files outside the configured root directory, potentially exposing sensitive information.

Impact Analysis

This vulnerability can lead to unauthorized information disclosure by allowing attackers to access and list directories outside the intended root directory of a web server using Rack::Directory.

  • Attackers can remotely exploit this vulnerability without any privileges or user interaction.
  • It can expose sensitive files and directories that were meant to be protected, leading to potential data leaks.
  • The vulnerability has a high severity with a CVSS score of 7.5, indicating a significant risk.
Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability can be detected by attempting to access directory listings outside the intended root directory using specially crafted paths that exploit the root prefix bypass. For example, sending HTTP requests with paths like '/../root_example/' or '/../<outside_dir>/' where the outside directory shares a prefix with the root directory may reveal unauthorized directory listings."}, {'type': 'paragraph', 'content': 'To detect this on your system, you can perform manual or automated HTTP requests targeting the Rack::Directory endpoints with traversal paths and observe if directory listings outside the root are accessible.'}, {'type': 'paragraph', 'content': 'Suggested commands using curl to test for the vulnerability might include:'}, {'type': 'list_item', 'content': 'curl -i http://yourserver/../root_example/'}, {'type': 'list_item', 'content': 'curl -i http://yourserver/../some_directory_with_root_prefix/'}, {'type': 'paragraph', 'content': 'If these requests return directory listings or HTTP 200 responses with directory content outside the intended root, the system is vulnerable.'}] [1, 2]

Mitigation Strategies

The primary mitigation step is to update the Rack library to a patched version that fixes this vulnerability. Specifically, upgrade to version 2.2.22, 3.1.20, or 3.2.5 or later.

These versions include a fix that properly normalizes the root path and enforces strict directory traversal checks to prevent root prefix bypasses.

Additionally, avoid naming directories with prefixes similar to the root directory to reduce the risk of accidental traversal.

Until the update is applied, consider restricting access to the Rack::Directory endpoints or disabling directory listings if possible.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-22860. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart