CVE-2026-34785 Overview
CVE-2026-34785 is an information disclosure vulnerability in Rack, the modular Ruby web server interface used by most Ruby web frameworks including Ruby on Rails. The flaw resides in Rack::Static, which determines whether a request should be served as a static file using a simple string prefix check. When configured with URL prefixes such as /css, the middleware matches any request path beginning with that string, including unrelated paths like /css-config.env or /css-backup.sql. Attackers can retrieve files under the static root whose names merely share the configured prefix. The issue is patched in versions 2.2.23, 3.1.21, and 3.2.6.
Critical Impact
Unauthenticated remote attackers can read sensitive files under the static root by crafting paths that share a configured static URL prefix, exposing configuration files, database backups, and other secrets.
Affected Products
- Rack versions prior to 2.2.23
- Rack versions 3.0.0 through 3.1.20
- Rack versions 3.2.0 through 3.2.5
Discovery Timeline
- 2026-04-02 - CVE-2026-34785 published to NVD
- 2026-04-16 - Last updated in NVD database
Technical Details for CVE-2026-34785
Vulnerability Analysis
The vulnerability is classified as [CWE-187: Partial String Comparison] and results in information disclosure over the network without authentication or user interaction. Rack::Static is middleware that serves static files from a configured root directory when request paths match one of the operator-supplied URL prefixes. Instead of treating prefixes as path segments, Rack performs a raw String#start_with? comparison. This allows file names that share a textual prefix with a directory name to fall into the static-serving branch and be returned to the caller. The result is that files unrelated to the intended static asset directory become reachable if their names happen to begin with the configured prefix string.
Root Cause
The root cause is a partial string comparison rather than a path-segment-aware match in the Rack::Static middleware. A prefix like /css is intended to scope only the /css/ directory, but the comparison treats /css-backup.sql as a valid match. Any file in the static root whose filename starts with the prefix text is served, regardless of whether it is an intended static asset.
Attack Vector
An unauthenticated remote attacker sends HTTP requests for crafted paths that begin with a configured static prefix but reference unrelated files in the same root directory. For an application configured to serve /css, requests targeting paths such as /css-config.env, /css-backup.sql, or /css.bak may return the file contents directly. The attack requires no privileges or user interaction and depends only on the attacker guessing or enumerating filenames adjacent to the static directory. Sensitive artifacts such as environment files, database dumps, and backup archives are common disclosure targets.
No public proof-of-concept exploit code has been published. See the GitHub Security Advisory GHSA-h2jq-g4cq-5ppq for the maintainer's technical description.
Detection Methods for CVE-2026-34785
Indicators of Compromise
- HTTP 200 responses for request paths that share a static prefix but reference non-asset file extensions such as .env, .sql, .bak, .yml, or .pem.
- Web server access logs showing requests to paths like /css-config.env, /js-backup.sql, or similar prefix-adjacent filenames.
- Outbound transfer of unusually large response bodies from URLs immediately adjacent to known static asset directories.
Detection Strategies
- Inventory all Rack-based applications and identify any use of Rack::Static along with its configured :urls prefixes.
- Review access logs for request paths that begin with a configured static prefix but include unexpected characters such as -, ., or _ immediately after the prefix.
- Audit the static root directory for files whose names share a prefix with configured URL paths and could be inadvertently served.
Monitoring Recommendations
- Forward web server and application logs to a centralized analytics platform and alert on 200 responses for sensitive file extensions.
- Add web application firewall (WAF) rules to flag or block requests matching patterns like /<prefix>[-_.][^/]*\.(env|sql|bak|key|pem|yml).
- Track Rack and Ruby dependency versions across the fleet using software composition analysis to identify vulnerable releases.
How to Mitigate CVE-2026-34785
Immediate Actions Required
- Upgrade Rack to 2.2.23, 3.1.21, or 3.2.6 depending on the major version in use.
- Move sensitive files such as .env, database dumps, and backups out of any directory configured as a Rack::Static root.
- Audit Rack::Static configurations and rename or remove files whose names share a prefix with configured URL paths.
Patch Information
The Rack maintainers released fixed versions 2.2.23, 3.1.21, and 3.2.6 that correct the prefix comparison logic in Rack::Static. Application owners should update the rack gem in Gemfile.lock and redeploy. Refer to the Rack Security Advisory GHSA-h2jq-g4cq-5ppq for upgrade guidance and complete release notes.
Workarounds
- Restructure the static asset directory so it contains only intended public assets and no adjacent sensitive files.
- Configure Rack::Static with explicit, narrowly scoped prefixes that end in a trailing slash where supported, and avoid serving the application root.
- Place a reverse proxy or WAF in front of the application to block requests for sensitive file extensions regardless of path prefix.
# Update Rack to a patched version
bundle update rack
# Verify installed version meets the fix
bundle list | grep rack
# Expected: rack (2.2.23) or (3.1.21) or (3.2.6) or later
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
