CVE-2026-32762
Received Received - Intake
Header Injection Vulnerability in Rack Forwarded Header Parsing

Publication date: 2026-04-02

Last updated on: 2026-04-21

Assigner: GitHub, Inc.

Description
Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 to before 3.1.21 and 3.2.0 to before 3.2.6, Rack::Utils.forwarded_values parses the RFC 7239 Forwarded header by splitting on semicolons before handling quoted-string values. Because quoted values may legally contain semicolons, a header can be interpreted by Rack as multiple Forwarded directives rather than as a single quoted for value. In deployments where an upstream proxy, WAF, or intermediary validates or preserves quoted Forwarded values differently, this discrepancy can allow an attacker to smuggle host, proto, for, or by parameters through a single header value. This issue has been patched in versions 3.1.21 and 3.2.6.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-02
Last Modified
2026-04-21
Generated
2026-06-16
AI Q&A
2026-04-02
EPSS Evaluated
2026-06-15
NVD
CVE-2026-32762
EUVD
EUVD-2026-18423
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
rack rack From 3.0.0 (inc) to 3.1.21 (exc)
rack rack From 3.2.0 (inc) to 3.2.6 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-436 Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability allows an attacker to smuggle spoofed values for host, proto, for, or by parameters through a single Forwarded header, potentially leading to host or scheme spoofing. Such spoofing can impact password reset links, redirects, absolute URL generation, logging, IP-based access controls, or backend requests.

Because these impacts can affect the integrity and accuracy of request metadata and logging, organizations subject to compliance standards like GDPR or HIPAA may face challenges ensuring data integrity, accurate access controls, and reliable audit trails if this vulnerability is exploited.

Mitigation involves upgrading to patched versions of Rack and avoiding reliance on untrusted Forwarded headers, which helps maintain compliance by ensuring that request metadata and logging are accurate and trustworthy.

Executive Summary

CVE-2026-32762 is a moderate severity vulnerability in the RubyGems package "rack" affecting certain versions before 3.1.21 and 3.2.6. The issue arises because the method Rack::Utils.forwarded_values incorrectly parses the RFC 7239 Forwarded HTTP header by splitting on semicolons before handling quoted-string values. Since quoted values may legally contain semicolons, this causes Rack to interpret a single quoted value as multiple separate Forwarded directives.

This parsing discrepancy allows an attacker to smuggle or inject spoofed parameters such as host, proto (scheme), for, or by within a single Forwarded header. Applications relying on these values for request metadata may be tricked into using attacker-controlled values, leading to host or scheme spoofing.

Impact Analysis

This vulnerability can impact applications by allowing attackers to spoof critical request metadata such as the host, scheme, or client IP address. This can affect password reset links, redirects, absolute URL generation, logging, IP-based access controls, or backend requests.

The practical impact depends on the deployment architecture, especially where upstream proxies or intermediaries validate or preserve Forwarded headers differently than Rack. If an attacker can inject spoofed values, they may manipulate how the application interprets request origins or destinations.

Detection Guidance

This vulnerability involves improper parsing of the RFC 7239 Forwarded HTTP header by Rack, which can be detected by inspecting HTTP requests for suspicious Forwarded headers containing quoted strings with semicolons.

To detect potential exploitation attempts on your network or system, you can monitor HTTP traffic for Forwarded headers that include semicolons inside quoted strings, such as: Forwarded: for="127.0.0.1;host=evil.com;proto=https".

Commands to help detect this might include using network traffic capture and inspection tools like tcpdump or Wireshark to filter HTTP headers, or using command-line tools like curl or grep on server logs to search for suspicious Forwarded headers.

  • Use tcpdump to capture HTTP traffic and filter for Forwarded headers: tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep -i Forwarded
  • Search web server logs for Forwarded headers containing semicolons inside quotes: grep -i 'Forwarded:.*".*;.*"' /var/log/nginx/access.log
  • Use curl to send crafted Forwarded headers and observe application behavior for testing: curl -H 'Forwarded: for="127.0.0.1;host=evil.com;proto=https"' http://yourserver/
Mitigation Strategies

The primary mitigation is to upgrade the Rack Ruby gem to a patched version: 3.1.21 or later in the 3.1.x series, or 3.2.6 or later in the 3.2.x series.

Additional immediate steps include avoiding trusting client-supplied Forwarded headers unless they are normalized or regenerated by trusted proxies.

It is recommended to strip inbound Forwarded headers at the edge of your network and reconstruct them from trusted metadata sources.

Security-sensitive operations should avoid relying on request metadata such as req.host, req.scheme, req.base_url, or req.url unless the forwarding chain is explicitly trusted and validated.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32762. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart