CVE-2026-26961

CVE-2026-26961 is a low-severity vulnerability in Rack with a CVSS 3.x base score of 3.7. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-436.

Key facts

Description

Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Multipart::Parser extracts the boundary parameter from multipart/form-data using a greedy regular expression. When a Content-Type header contains multiple boundary parameters, Rack selects the last one rather than the first. In deployments where an upstream proxy, WAF, or intermediary interprets the first boundary parameter, this mismatch can allow an attacker to smuggle multipart content past upstream inspection and have Rack parse a different body structure than the intermediary validated. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.

Frequently asked questions

What is CVE-2026-26961?
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Multipart::Parser extracts the boundary parameter from multipart/form-data using a greedy regular expression. When a Content-Type header contains multiple boundary parameters, Rack selects the last one rather than the first. In deployments where an upstream proxy, WAF, or intermediary interprets the first boundary parameter, this mismatch can allow an attacker to smuggle multipart content past upstream inspection and have Rack parse a different body structure than the intermediary validated. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.
How severe is CVE-2026-26961?
CVE-2026-26961 has a CVSS 3.x base score of 3.7, rated low severity. It is exploitable over network with high attack complexity, requires no privileges and no user interaction. Impact on confidentiality is none, integrity low, and availability none.
Is CVE-2026-26961 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (17th percentile), an estimate of the probability of exploitation in the next 30 days.
What products are affected by CVE-2026-26961?
CVE-2026-26961 affects Rack. See the affected-products list for the exact vulnerable versions.
How do I fix CVE-2026-26961?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
Does CVE-2026-26961 have an EU (EUVD) identifier?
Yes. CVE-2026-26961 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-18368.
When was CVE-2026-26961 published?
CVE-2026-26961 was published on 2026-04-02 and last updated on 2026-06-17.

References

Affected products (1)

More vulnerabilities in Rack

All CVEs affecting Rack →

Other CWE-436 vulnerabilities

Browse all CWE-436 vulnerabilities →