CVE-2026-26962
Rack: Header injection in multipart requests
CVSS Score
4.8
EPSS Score
0.0%
EPSS Percentile
12th
Rack is a modular Ruby web server interface. From version 3.2.0 to before version 3.2.6, Rack::Multipart::Parser unfolds folded multipart part headers incorrectly. When a multipart header contains an obs-fold sequence, Rack preserves the embedded CRLF in parsed parameter values such as filename or name instead of removing the folded line break during unfolding. As a result, applications that later reuse those parsed values in HTTP response headers may be vulnerable to downstream header injection or response splitting. This issue has been patched in version 3.2.6.
| CWE | CWE-93 |
| Vendor | rack |
| Product | rack |
| Published | Apr 2, 2026 |
| Last Updated | Apr 3, 2026 |
Stay Ahead of the Next One
Get instant alerts for rack rack
Be the first to know when new medium vulnerabilities affecting rack rack are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None
Affected Versions
rack / rack
>= 3.2.0, < 3.2.6