CVE-2026-22860
Directory Traversal in Rack::Directory Allows Unauthorized Directory Access
Publication date: 2026-02-18
Last updated on: 2026-02-19
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| rack | rack | to 2.2.22 (exc) |
| rack | rack | From 3.0.0 (inc) to 3.1.20 (exc) |
| rack | rack | From 3.2.0 (inc) to 3.2.5 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
| CWE-548 | The product inappropriately exposes a directory listing with an index of all the resources located inside of the directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-22860 is a directory traversal vulnerability in the Rack::Directory component of the Rack Ruby web server interface. The vulnerability occurs because the path validation uses a string prefix match on the expanded file path, which can be bypassed if a directory outside the intended root shares the same prefix as the root directory.
For example, if the server root is set to a directory like /var/www/root, a path such as /../root_backup/ can escape the root directory and allow access to files or directories outside the intended root. This happens because the check only verifies if the expanded path starts with the root string, not if it is strictly inside the root directory.
The vulnerability allows an attacker to list directories and access files outside the configured root directory, potentially exposing sensitive information.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized information disclosure by allowing attackers to access and list directories outside the intended root directory of a web server using Rack::Directory.
- Attackers can remotely exploit this vulnerability without any privileges or user interaction.
- It can expose sensitive files and directories that were meant to be protected, leading to potential data leaks.
- The vulnerability has a high severity with a CVSS score of 7.5, indicating a significant risk.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability can be detected by attempting to access directory listings outside the intended root directory using specially crafted paths that exploit the root prefix bypass. For example, sending HTTP requests with paths like '/../root_example/' or '/../<outside_dir>/' where the outside directory shares a prefix with the root directory may reveal unauthorized directory listings."}, {'type': 'paragraph', 'content': 'To detect this on your system, you can perform manual or automated HTTP requests targeting the Rack::Directory endpoints with traversal paths and observe if directory listings outside the root are accessible.'}, {'type': 'paragraph', 'content': 'Suggested commands using curl to test for the vulnerability might include:'}, {'type': 'list_item', 'content': 'curl -i http://yourserver/../root_example/'}, {'type': 'list_item', 'content': 'curl -i http://yourserver/../some_directory_with_root_prefix/'}, {'type': 'paragraph', 'content': 'If these requests return directory listings or HTTP 200 responses with directory content outside the intended root, the system is vulnerable.'}] [1, 2]
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to update the Rack library to a patched version that fixes this vulnerability. Specifically, upgrade to version 2.2.22, 3.1.20, or 3.2.5 or later.
These versions include a fix that properly normalizes the root path and enforces strict directory traversal checks to prevent root prefix bypasses.
Additionally, avoid naming directories with prefixes similar to the root directory to reduce the risk of accidental traversal.
Until the update is applied, consider restricting access to the Rack::Directory endpoints or disabling directory listings if possible.