CVE-2026-34786
Header Bypass in Rack::Static via URL-Encoded Path Handling
Publication date: 2026-04-02
Last updated on: 2026-04-16
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| rack | rack | From 3.0.0 (inc) to 3.1.21 (exc) |
| rack | rack | From 3.2.0 (inc) to 3.2.6 (exc) |
| rack | rack | to 2.2.23 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-180 | The product validates input before it is canonicalized, which prevents the product from detecting data that becomes invalid after the canonicalization step. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows attackers to bypass security-relevant response headers on static content by requesting URL-encoded variants of file paths. If these headers are used to enforce protections such as clickjacking prevention or content restrictions, their bypass could weaken the security posture of an application.
In environments subject to compliance standards like GDPR or HIPAA, which require appropriate safeguards to protect data integrity and confidentiality, this vulnerability could undermine those safeguards if security headers are relied upon to enforce such protections.
Therefore, applications relying solely on Rack::Static to attach security-critical headers may face increased risk of non-compliance due to potential header bypass, especially if sensitive data or regulated content is served as static files.
Mitigation involves upgrading to patched versions and applying security headers at the reverse proxy or web server level to ensure consistent enforcement regardless of URL encoding, helping maintain compliance with security requirements.
Can you explain this vulnerability to me?
This vulnerability exists in the Rack Ruby web server library, specifically in the Rack::Static middleware's handling of security headers.
The issue arises because Rack::Static evaluates security header rules against the raw, URL-encoded request path, but serves files based on the decoded path. This mismatch allows an attacker to request a URL-encoded version of a static file path and receive the file without the security headers that should have been applied.
For example, the path "/fonts/test.woff" and its encoded variant "/fonts/test%2Ewoff" both point to the same file, but only the unencoded path triggers the security headers. An attacker can exploit this to bypass protections like clickjacking prevention or content restrictions.
This vulnerability affects versions of Rack before 2.2.23, versions from 3.0 up to but not including 3.1.21, and versions from 3.2 up to but not including 3.2.6. It has been fixed in versions 2.2.23, 3.1.21, and 3.2.6.
How can this vulnerability impact me? :
If your application relies on Rack::Static to attach security-relevant headers to static content, this vulnerability can allow attackers to bypass those headers by requesting encoded versions of static file paths.
This means protections such as clickjacking prevention, content security policies, or other response headers intended to secure static files may not be applied, potentially exposing your application to security risks.
The severity of the impact depends on how the header_rules are configured and the nature of the static content served. If header_rules are only used for non-security purposes like caching, the impact is limited.
The vulnerability has a moderate severity rating with a CVSS v3.1 base score of 5.3, indicating a network attack vector with low complexity and no required privileges or user interaction.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the Rack::Static middleware serving static files without applying security headers when URL-encoded paths are used. Detection involves identifying requests to static files using URL-encoded variants of paths that should have security headers applied.
To detect this on your system or network, you can monitor HTTP requests for URL-encoded static file paths and check if the expected security headers are missing in the responses.
- Use web server or application logs to search for requests containing URL-encoded characters in static file paths, such as '%2E' instead of '.'
- Example command to find encoded requests in logs (assuming Apache logs): grep -E '%[0-9A-Fa-f]{2}' access.log | grep -E '\.(woff|css|js|png|jpg|gif)'
- Use curl or similar tools to manually test if encoded paths bypass security headers, for example: curl -I 'http://yourserver/fonts/test%2Ewoff' and compare headers with curl -I 'http://yourserver/fonts/test.woff'
Automated scanning tools or custom scripts can be developed to request encoded variants of static paths and verify the presence or absence of security headers.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade the Rack library to a patched version where this issue is fixed.
- Upgrade Rack to version 2.2.23, 3.1.21, or 3.2.6 or later, where the header_rules are applied to the decoded path consistently.
- Avoid relying solely on Rack::Static for applying security-critical headers to static content.
- Configure security headers at the reverse proxy or web server level (e.g., Nginx, Apache) to ensure headers are applied regardless of URL encoding.
- Implement normalization or rejection of encoded path variants for static content at the edge or application firewall if feasible.