{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34830", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-30T20:52:53.284Z", "datePublished": "2026-04-02T16:47:40.490Z", "dateUpdated": "2026-04-02T18:59:46.589Z"}, "containers": {"cna": {"title": "Rack: Rack::Sendfile regex injection via HTTP_X_ACCEL_MAPPING header allows arbitrary file reads through nginx", "problemTypes": [{"descriptions": [{"cweId": "CWE-625", "lang": "en", "description": "CWE-625: Permissive Regular Expression", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/rack/rack/security/advisories/GHSA-qv7j-4883-hwh7", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/rack/rack/security/advisories/GHSA-qv7j-4883-hwh7"}], "affected": [{"vendor": "rack", "product": "rack", "versions": [{"version": "< 2.2.23", "status": "affected"}, {"version": ">= 3.0.0.beta1, < 3.1.21", "status": "affected"}, {"version": ">= 3.2.0, < 3.2.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-02T16:47:40.490Z"}, "descriptions": [{"lang": "en", "value": "Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Sendfile#map_accel_path interpolates the value of the X-Accel-Mapping request header directly into a regular expression when rewriting file paths for X-Accel-Redirect. Because the header value is not escaped, an attacker who can supply X-Accel-Mapping to the backend can inject regex metacharacters and control the generated X-Accel-Redirect response header. In deployments using Rack::Sendfile with x-accel-redirect, this can allow an attacker to cause nginx to serve unintended files from configured internal locations. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6."}], "source": {"advisory": "GHSA-qv7j-4883-hwh7", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-02T18:59:36.006369Z", "id": "CVE-2026-34830", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T18:59:46.589Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34830", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-02T18:59:36.006369Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T18:59:41.978Z"}}], "cna": {"title": "Rack: Rack::Sendfile regex injection via HTTP_X_ACCEL_MAPPING header allows arbitrary file reads through nginx", "source": {"advisory": "GHSA-qv7j-4883-hwh7", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "rack", "product": "rack", "versions": [{"status": "affected", "version": "< 2.2.23"}, {"status": "affected", "version": ">= 3.0.0.beta1, < 3.1.21"}, {"status": "affected", "version": ">= 3.2.0, < 3.2.6"}]}], "references": [{"url": "https://github.com/rack/rack/security/advisories/GHSA-qv7j-4883-hwh7", "name": "https://github.com/rack/rack/security/advisories/GHSA-qv7j-4883-hwh7", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Sendfile#map_accel_path interpolates the value of the X-Accel-Mapping request header directly into a regular expression when rewriting file paths for X-Accel-Redirect. Because the header value is not escaped, an attacker who can supply X-Accel-Mapping to the backend can inject regex metacharacters and control the generated X-Accel-Redirect response header. In deployments using Rack::Sendfile with x-accel-redirect, this can allow an attacker to cause nginx to serve unintended files from configured internal locations. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-625", "description": "CWE-625: Permissive Regular Expression"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-02T16:47:40.490Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34830", "state": "PUBLISHED", "dateUpdated": "2026-04-02T18:59:46.589Z", "dateReserved": "2026-03-30T20:52:53.284Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-02T16:47:40.490Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Sendfile#map_accel_path interpolates the value of the X-Accel-Mapping request header directly into a regular expression when rewriting file paths for X-Accel-Redirect. Because the header value is not escaped, an attacker who can supply X-Accel-Mapping to the backend can inject regex metacharacters and control the generated X-Accel-Redirect response header. In deployments using Rack::Sendfile with x-accel-redirect, this can allow an attacker to cause nginx to serve unintended files from configured internal locations. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6."}], "id": "CVE-2026-34830", "lastModified": "2026-04-02T17:16:26.267", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-02T17:16:26.267", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/rack/rack/security/advisories/GHSA-qv7j-4883-hwh7"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-625"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.2.23)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.0.0.beta1,3.1.21)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.2.0,3.2.6)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "rack", "source": "cna", "vendor": "rack"}, "product": "rack", "vendor": "rack"}], "analysis": {"en": {"generated_at": "2026-04-02T22:34:57.806552+00:00", "value": {"mitigation_remediation": ["Upgrade Rack to version 2.2.23 or later, 3.1.21 or later, or 3.2.6 or later to remove the vulnerability."], "summary": {"action": "Immediate Patch", "impact": "Arbitrary File Read"}, "threat_synthesis": {"affected_systems": "The affected component is Rack, the Ruby web server interface library. The vulnerability affects all releases of Rack older than 2.2.23, 3.1.21, and 3.2.6. These versions are widely used in Ruby applications that rely on Rack::Sendfile with nginx's X-Accel-Redirect feature.", "description_and_impact": "Rack is a modular Ruby web server interface. In versions prior to 2.2.23, 3.1.21, and 3.2.6, the Rack::Sendfile#map_accel_path method interpolates the value of the X-Accel-Mapping request header directly into a regular expression used for rewriting file paths for X-Accel-Redirect. Because this header value is not escaped, an attacker who can supply X-Accel-Mapping to the backend can inject regex metacharacters and control the generated X-Accel-Redirect response header, leading to arbitrary file reads from internal locations, a pattern consistent with CWE-625.", "risk_and_exploitability": "The CVSS score for this issue is 5.9, indicating moderate severity. EPSS data is not provided, and the vulnerability is not listed in CISA\u2019s KEV catalog. The most likely attack vector is a crafted HTTP request containing a malicious X-Accel-Mapping header sent to a Rack application sitting behind nginx configured for X-Accel-Redirect. If exploited, the attacker could cause nginx to serve unintended files from configured internal locations, potentially exposing sensitive data. Because the attack requires only the ability to supply request headers, it can be performed over the public network, but it is mitigated by the patch."}}}}, "created": "2026-04-03T07:32:31.022335+00:00", "updated": "2026-04-03T09:18:22.143846+00:00", "vendors": ["rack", "rack$PRODUCT$rack"]}