Executive Summary

CVE-2026-34835 is a vulnerability in the Ruby Rack library's Rack::Request component related to how it parses the HTTP Host header.

Rack::Request uses an AUTHORITY regular expression that accepts invalid characters not allowed in RFC-compliant hostnames, such as /, ?, #, and @.

Because the req.host method returns the full parsed value including these invalid characters, applications that perform simple prefix or suffix checks to validate hosts can be bypassed.

For example, a host value like 'evil.com/myapp.com' could bypass a check intended to allow only 'myapp.com'.

This flaw enables attackers to bypass host allowlists and conduct host header poisoning attacks.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow attackers to poison host headers used by applications for link generation, redirects, or origin validation.

As a result, attackers may manipulate generated links or redirects, potentially leading to security issues such as password reset link poisoning or other host header injection attacks.

The attack requires no privileges or user interaction but has a high attack complexity.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring HTTP Host headers for invalid characters that are not permitted in RFC-compliant hostnames, such as /, ?, #, and @. Look for Host header values that include these characters or malformed hostnames that could bypass naive prefix or suffix checks.

You can use network traffic inspection tools or web server logs to identify suspicious Host headers. For example, using command-line tools like tcpdump or grep to filter HTTP requests containing unusual Host header values.

• Using tcpdump to capture HTTP traffic and filter Host headers with invalid characters: tcpdump -A -s 0 'tcp port 80' | grep -E 'Host: .*[/\?#@]'
• Using grep on web server access logs to find Host headers with suspicious characters: grep -E 'Host: .*[/\?#@]' /var/log/nginx/access.log

Additionally, review application logs for usage of req.host, req.url, or req.base_url to detect if any malformed host values are being processed.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to update the Rack library to a patched version: 3.1.21 or later, or 3.2.6 or later, where the Host header parsing issue is fixed.

In addition to updating, enforce strict Host header validation at reverse proxies or load balancers to reject requests with invalid characters in the Host header.

Avoid using naive prefix or suffix checks for host allowlisting in your application code. Instead, implement exact host or subdomain boundary checks after validating the syntactic correctness of the Host header.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows attackers to bypass host allowlists and conduct host header poisoning attacks, which can lead to security issues such as password reset link poisoning or other host header injection attacks.

Such security issues can potentially impact the confidentiality and integrity of user data, which are critical aspects of compliance with standards like GDPR and HIPAA.

If exploited, the vulnerability could undermine the security controls required to protect sensitive information, thereby affecting an organization's ability to meet regulatory requirements for data protection and secure application behavior.

Mitigation involves updating to patched versions of Rack and enforcing strict Host header validation, which helps maintain compliance by reducing the risk of unauthorized data exposure or manipulation.

Useful 0 Not Useful 0