CVE-2026-22860
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5, Rack::Directory’s path check used a string prefix match on the expanded path. A request like /../root_example/ can escape the configured root if the target path starts with the root string, allowing directory listing outside the intended root. Versions 2.2.22, 3.1.20, and 3.2.5 fix the issue.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| rack | rack | < 2.2.22 | affected |
| rack | rack | >= 3.0.0.beta1, < 3.1.20 | affected |
| rack | rack | >= 3.2.0, < 3.2.5 | affected |
Weaknesses
- CWE-22: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
- CWE-548: CWE-548: Exposure of Information Through Directory Listing
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: partial
rubygem-rack: Rack Directory Traversal via Rack:Directory
Additional References
- https://access.redhat.com/security/cve/CVE-2026-22860
- https://bugzilla.redhat.com/show_bug.cgi?id=2440737
- https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-22860.json
References
- https://github.com/rack/rack/security/advisories/GHSA-mxw3-3hh2-x2mh
- https://github.com/rack/rack/commit/75c5745c286637a8f049a33790c71237762069e7
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.