CVE-2026-26962
Received Received - Intake
Header Injection via Multipart Parser in Rack

Publication date: 2026-04-02

Last updated on: 2026-04-21

Assigner: GitHub, Inc.

Description
Rack is a modular Ruby web server interface. From version 3.2.0 to before version 3.2.6, Rack::Multipart::Parser unfolds folded multipart part headers incorrectly. When a multipart header contains an obs-fold sequence, Rack preserves the embedded CRLF in parsed parameter values such as filename or name instead of removing the folded line break during unfolding. As a result, applications that later reuse those parsed values in HTTP response headers may be vulnerable to downstream header injection or response splitting. This issue has been patched in version 3.2.6.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-02
Last Modified
2026-04-21
Generated
2026-06-16
AI Q&A
2026-04-02
EPSS Evaluated
2026-06-15
NVD
CVE-2026-26962
EUVD
EUVD-2026-18417
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
rack rack From 3.2.0 (inc) to 3.2.6 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-93 The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-26962 is a vulnerability in the Rack Ruby library's multipart parser component. It occurs because the parser incorrectly handles folded multipart headers containing obsolete folding sequences (obs-fold). Instead of removing embedded carriage return and line feed (CRLF) characters during header unfolding, the parser preserves these CRLF sequences within parsed parameter values such as "filename" or "name."

This means that multipart headers like Content-Disposition with folded lines can result in parameter values that still contain CRLF characters. This improper handling can lead to security risks if these values are reused in HTTP response headers or other header-sensitive contexts.

The vulnerability can enable downstream HTTP header injection, response splitting, cache poisoning, or other response parsing vulnerabilities. It affects Rack versions from 3.2.0 up to but not including 3.2.6, where it has been patched.

Impact Analysis

This vulnerability can impact you by allowing attackers to inject malicious content into HTTP response headers if your application reuses multipart metadata values like filenames without proper sanitization.

Specifically, the preserved CRLF characters in parsed multipart headers can lead to HTTP header injection or response splitting attacks. These attacks can cause cache poisoning, manipulation of HTTP responses, or other security issues related to response parsing.

The severity is considered moderate with a CVSS v3.1 base score of 4.8, indicating a network attack vector with high complexity but no required privileges or user interaction.

Detection Guidance

This vulnerability involves improper unfolding of folded multipart headers in Rack versions 3.2.0 to before 3.2.6, where CRLF characters are preserved in parsed parameter values such as filenames or names.

To detect this vulnerability on your system, you can check the version of the Rack library in use. If the version is between 3.2.0 and before 3.2.6, your system is vulnerable.

You can also inspect HTTP multipart requests for headers containing folded lines with CRLF sequences that are not properly removed. This may require capturing and analyzing HTTP traffic or application logs.

Suggested commands to check the Rack version in a Ruby environment:

  • ruby -e "require 'rack'; puts Rack.release"
  • bundle list | grep rack

To detect potential exploitation attempts, you might monitor HTTP requests for multipart headers with suspicious CRLF sequences in filename or name parameters, using tools like tcpdump, Wireshark, or web server logs with pattern matching.

Mitigation Strategies

The primary mitigation step is to upgrade the Rack library to version 3.2.6 or later, where the vulnerability has been patched by correctly removing CRLF characters during header unfolding.

Additionally, applications should avoid directly copying multipart metadata such as filenames or names into HTTP response headers without proper sanitization.

  • Sanitize or reject CRLF characters in multipart-derived values before reusing them in headers.
  • Normalize uploaded filenames before storage or reflection to prevent injection.

These steps help prevent downstream HTTP header injection, response splitting, cache poisoning, or other response parsing vulnerabilities.

Compliance Impact

The vulnerability in Rack's multipart header parsing can lead to HTTP header injection or response splitting if applications reuse parsed multipart metadata without proper sanitization. This can result in security risks such as cache poisoning or response manipulation.

While the CVE description and resources do not explicitly mention compliance with standards like GDPR or HIPAA, improper handling of user-supplied data and potential injection vulnerabilities could indirectly impact compliance by exposing sensitive data or enabling attacks that compromise data integrity and confidentiality.

Mitigation involves updating to the patched version and sanitizing multipart metadata before reuse, which helps maintain secure handling of data and supports compliance with data protection requirements.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-26962. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart