{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-34785","assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","state":"PUBLISHED","assignerShortName":"GitHub_M","dateReserved":"2026-03-30T19:54:55.556Z","datePublished":"2026-04-02T16:44:17.134Z","dateUpdated":"2026-06-30T12:09:08.092Z"},"containers":{"cna":{"title":"Rack: Local file inclusion in `Rack::Static` via URL Prefix Matching","problemTypes":[{"descriptions":[{"cweId":"CWE-187","lang":"en","description":"CWE-187: Partial String Comparison","type":"CWE"}]},{"descriptions":[{"cweId":"CWE-200","lang":"en","description":"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor","type":"CWE"}]}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","version":"3.1"}}],"references":[{"name":"https://github.com/rack/rack/security/advisories/GHSA-h2jq-g4cq-5ppq","tags":["x_refsource_CONFIRM"],"url":"https://github.com/rack/rack/security/advisories/GHSA-h2jq-g4cq-5ppq"}],"affected":[{"vendor":"rack","product":"rack","versions":[{"version":"< 2.2.23","status":"affected"},{"version":">= 3.0.0.beta1, < 3.1.21","status":"affected"},{"version":">= 3.2.0, < 3.2.6","status":"affected"}]}],"providerMetadata":{"orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M","dateUpdated":"2026-04-02T16:44:17.134Z"},"descriptions":[{"lang":"en","value":"Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Static determines whether a request should be served as a static file using a simple string prefix check. When configured with URL prefixes such as \"/css\", it matches any request path that begins with that string, including unrelated paths such as \"/css-config.env\" or \"/css-backup.sql\". As a result, files under the static root whose names merely share the configured prefix may be served unintentionally, leading to information disclosure. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6."}],"source":{"advisory":"GHSA-h2jq-g4cq-5ppq","discovery":"UNKNOWN"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-04-02T18:58:57.726888Z","id":"CVE-2026-34785","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-04-02T18:59:08.828Z"}},{"affected":[{"cpes":["cpe:/a:redhat:satellite:6"],"defaultStatus":"unaffected","product":"Red Hat Satellite 6","vendor":"Red Hat"}],"datePublic":"2026-04-02T16:44:17.134Z","descriptions":[{"lang":"en","value":"A flaw was found in Rack. The `Rack::Static` component, which serves static files for web applications, uses a simple string prefix check to determine if a request should be served as a static file. This can lead to unintended information disclosure, as files with names that merely share a configured URL prefix (e.g., \"/css\" matching \"/css-config.env\") may be served unintentionally to a remote attacker."}],"metrics":[{"other":{"content":{"namespace":"https://access.redhat.com/security/updates/classification/","value":"Important"},"type":"Red Hat severity rating"}},{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","version":"3.1"},"format":"CVSS"}],"problemTypes":[{"descriptions":[{"cweId":"CWE-552","description":"Files or Directories Accessible to External Parties","lang":"en","type":"CWE"}]}],"references":[{"tags":["vdb-entry","x_refsource_REDHAT"],"url":"https://access.redhat.com/security/cve/CVE-2026-34785"},{"name":"RHBZ#2454486","tags":["issue-tracking","x_refsource_REDHAT"],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2454486"},{"tags":["x_sadp-csaf-vex"],"url":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-34785.json"}],"timeline":[{"lang":"en","time":"2026-04-02T18:01:13.485Z","value":"Reported to Red Hat."},{"lang":"en","time":"2026-04-02T16:44:17.134Z","value":"Made public."}],"title":"github.com/rack/rack: Rack: Information disclosure via incorrect static file serving prefix check","x_adpType":"supplier","x_generator":{"engine":"sadp-cli 1.0.0"},"providerMetadata":{"orgId":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","shortName":"redhat-SADP","dateUpdated":"2026-06-30T12:09:08.092Z"}}]}}