CVE-2026-26961 Overview
CVE-2026-26961 is a request smuggling vulnerability in Rack, the modular Ruby web server interface used by frameworks such as Ruby on Rails and Sinatra. The flaw resides in Rack::Multipart::Parser, which extracts the boundary parameter from multipart/form-dataContent-Type headers using a greedy regular expression. When a request contains multiple boundary parameters, Rack selects the last one while upstream proxies or web application firewalls (WAFs) typically select the first. This parser discrepancy [CWE-436] allows attackers to bypass upstream inspection and have Rack parse a different body structure than the intermediary validated. The issue affects all Rack versions prior to 2.2.23, 3.1.21, and 3.2.6.
Critical Impact
Attackers can smuggle multipart content past upstream WAFs and proxies, undermining security inspection on any Ruby application using vulnerable Rack versions behind an intermediary.
Affected Products
- Rack versions prior to 2.2.23
- Rack versions 3.1.0 through 3.1.20
- Rack versions 3.2.0 through 3.2.5
Discovery Timeline
- 2026-04-02 - CVE-2026-26961 published to NVD
- 2026-04-16 - Last updated in NVD database
Technical Details for CVE-2026-26961
Vulnerability Analysis
The vulnerability is an interpretation conflict between Rack and upstream HTTP intermediaries. Rack uses a greedy regular expression to extract the boundary parameter from the Content-Type header of multipart/form-data requests. When the header includes more than one boundary= parameter, the regex consumes input until the last match, causing Rack to use the final boundary value.
Upstream proxies, WAFs, and CDNs typically follow the more common convention of using the first parameter value encountered. This mismatch produces two divergent views of the same HTTP body. The intermediary parses and validates the request using one boundary, while Rack processes a different multipart structure entirely.
The consequence is classic parser-differential request smuggling. An attacker can craft a payload where benign-looking content sits between the first boundary markers and malicious content sits between the second boundary markers. Inspection tools approve the request based on the first interpretation, while Rack ingests the smuggled second structure.
Root Cause
The root cause is the use of a greedy regular expression in Rack::Multipart::Parser for boundary extraction without enforcing a single-value constraint. RFC 7231 does not strictly define behavior for duplicate parameters, which is why parser implementations diverge. Rack's choice of the last value diverges from the majority convention, producing the differential.
Attack Vector
Exploitation requires the attacker to send a single HTTP request containing a Content-Type header with two boundary parameters. No authentication or user interaction is required. The attack is only useful where an upstream component performs content inspection that Rack-served applications rely on for security guarantees, such as upload filtering, malware scanning, or input validation at the WAF layer.
No verified public exploit code is currently available. See the GitHub Security Advisory GHSA-vgpv-f759-9wx3 for technical details and patched commits.
Detection Methods for CVE-2026-26961
Indicators of Compromise
- HTTP requests with Content-Type: multipart/form-data headers containing more than one boundary= parameter
- Discrepancies between upstream proxy access logs and Rack application logs for the same request, particularly in multipart upload endpoints
- Multipart requests where the parsed file count or field names differ between the WAF inspection log and the application log
Detection Strategies
- Inspect HTTP request headers at the proxy or load balancer for duplicate boundary parameters in Content-Type values and alert or block on the pattern
- Correlate WAF inspection results with application-side multipart parsing telemetry to surface parser-differential anomalies
- Audit installed Ruby gem versions across the fleet to identify Rack instances below 2.2.23, 3.1.21, or 3.2.6
Monitoring Recommendations
- Log full Content-Type header values for all multipart requests during the remediation window to support forensic review
- Monitor file upload endpoints for unexpected file types, sizes, or field structures that bypassed upstream filtering
- Track Rack version inventory through software composition analysis tools and flag downgrades or unpatched deployments
How to Mitigate CVE-2026-26961
Immediate Actions Required
- Upgrade Rack to version 2.2.23, 3.1.21, or 3.2.6 depending on the major version in use
- Configure upstream proxies and WAFs to reject Content-Type headers containing multiple boundary parameters
- Audit application logs for prior multipart requests with malformed Content-Type headers to identify exploitation attempts
Patch Information
The Rack maintainers released patches in versions 2.2.23, 3.1.21, and 3.2.6. The fix updates the boundary extraction logic in Rack::Multipart::Parser to handle duplicate parameters safely. Full advisory details are available at the GitHub Security Advisory GHSA-vgpv-f759-9wx3.
Workarounds
- Deploy a request-rewriting rule at the reverse proxy or WAF that normalizes Content-Type headers to retain only the first boundary parameter
- Reject any request whose Content-Type header contains the substring boundary= more than once before it reaches the Rack application
- Restrict multipart upload endpoints to authenticated users where feasible to reduce the unauthenticated attack surface until patching completes
# Update Rack via Bundler to a patched version
bundle update rack
# Verify the installed Rack version meets the patched baseline
bundle list | grep rack
# Expected: rack (2.2.23) or rack (3.1.21) or rack (3.2.6) or later
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
