CVE-2026-26962
Header Injection via Multipart Parser in Rack
Publication date: 2026-04-02
Last updated on: 2026-04-21
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| rack | rack | From 3.2.0 (inc) to 3.2.6 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-93 | The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Rack's multipart header parsing can lead to HTTP header injection or response splitting if applications reuse parsed multipart metadata without proper sanitization. This can result in security risks such as cache poisoning or response manipulation.
While the CVE description and resources do not explicitly mention compliance with standards like GDPR or HIPAA, improper handling of user-supplied data and potential injection vulnerabilities could indirectly impact compliance by exposing sensitive data or enabling attacks that compromise data integrity and confidentiality.
Mitigation involves updating to the patched version and sanitizing multipart metadata before reuse, which helps maintain secure handling of data and supports compliance with data protection requirements.
Can you explain this vulnerability to me?
CVE-2026-26962 is a vulnerability in the Rack Ruby library's multipart parser component. It occurs because the parser incorrectly handles folded multipart headers containing obsolete folding sequences (obs-fold). Instead of removing embedded carriage return and line feed (CRLF) characters during header unfolding, the parser preserves these CRLF sequences within parsed parameter values such as "filename" or "name."
This means that multipart headers like Content-Disposition with folded lines can result in parameter values that still contain CRLF characters. This improper handling can lead to security risks if these values are reused in HTTP response headers or other header-sensitive contexts.
The vulnerability can enable downstream HTTP header injection, response splitting, cache poisoning, or other response parsing vulnerabilities. It affects Rack versions from 3.2.0 up to but not including 3.2.6, where it has been patched.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to inject malicious content into HTTP response headers if your application reuses multipart metadata values like filenames without proper sanitization.
Specifically, the preserved CRLF characters in parsed multipart headers can lead to HTTP header injection or response splitting attacks. These attacks can cause cache poisoning, manipulation of HTTP responses, or other security issues related to response parsing.
The severity is considered moderate with a CVSS v3.1 base score of 4.8, indicating a network attack vector with high complexity but no required privileges or user interaction.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves improper unfolding of folded multipart headers in Rack versions 3.2.0 to before 3.2.6, where CRLF characters are preserved in parsed parameter values such as filenames or names.
To detect this vulnerability on your system, you can check the version of the Rack library in use. If the version is between 3.2.0 and before 3.2.6, your system is vulnerable.
You can also inspect HTTP multipart requests for headers containing folded lines with CRLF sequences that are not properly removed. This may require capturing and analyzing HTTP traffic or application logs.
Suggested commands to check the Rack version in a Ruby environment:
- ruby -e "require 'rack'; puts Rack.release"
- bundle list | grep rack
To detect potential exploitation attempts, you might monitor HTTP requests for multipart headers with suspicious CRLF sequences in filename or name parameters, using tools like tcpdump, Wireshark, or web server logs with pattern matching.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade the Rack library to version 3.2.6 or later, where the vulnerability has been patched by correctly removing CRLF characters during header unfolding.
Additionally, applications should avoid directly copying multipart metadata such as filenames or names into HTTP response headers without proper sanitization.
- Sanitize or reject CRLF characters in multipart-derived values before reusing them in headers.
- Normalize uploaded filenames before storage or reflection to prevent injection.
These steps help prevent downstream HTTP header injection, response splitting, cache poisoning, or other response parsing vulnerabilities.