CVE-2026-34835

MEDIUM 4.8

Rack: `Rack::Request` accepts invalid Host characters, enabling host allowlist bypass.

CVSS Score

4.8

EPSS Score

0.0%

EPSS Percentile

0th

Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 to before 3.1.21, and 3.2.0 to before 3.2.6, Rack::Request parses the Host header using an AUTHORITY regular expression that accepts characters not permitted in RFC-compliant hostnames, including /, ?, #, and @. Because req.host returns the full parsed value, applications that validate hosts using naive prefix or suffix checks can be bypassed. This can lead to host header poisoning in applications that use req.host, req.url, or req.base_url for link generation, redirects, or origin validation. This issue has been patched in versions 3.1.21 and 3.2.6.

CWE	CWE-1286
Vendor	rack
Product	rack
Published	Apr 2, 2026
Last Updated	Apr 2, 2026

Stay Ahead of the Next One

Get instant alerts for rack rack

Be the first to know when new medium vulnerabilities affecting rack rack are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

Affected Versions

rack / rack

>= 3.0.0.beta1, < 3.1.21 >= 3.2.0, < 3.2.6

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/rack/rack/security/advisories/GHSA-g2pf-xv49-m2h5