CVE-2026-34763

# PoC Concept for CVE-2026-34763 # This requires a vulnerable Rack setup with a specific root path configuration. require 'rack' # Scenario: Configuring Rack::Directory with a root path containing regex metacharacters # For example, a directory named 'app.v1' or 'data+backup' vulnerable_root = "/var/www/app.v1" # Vulnerable Middleware Setup # In versions < 2.2.23, < 3.1.21, < 3.2.6, the '.' in 'app.v1' is treated as 'any character' # causing the prefix stripping to fail. use Rack::Directory, vulnerable_root run lambda { |env| [200, {'Content-Type' => 'text/plain'}, ["Rack App Running"]] } # Exploitation Step: # 1. Send a GET request to the application (e.g., http://target/) # 2. Inspect the HTML response of the directory listing. # 3. Observe that the file paths contain the full filesystem path '/var/www/app.v1/...' # instead of just the relative path '/...'. # 4. This confirms the information disclosure vulnerability.

{"cve": {"id": "CVE-2026-34763", "sourceIdentifier": "[email protected]", "published": "2026-04-02T17:16:24.723", "lastModified": "2026-04-16T17:26:24.647", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Directory interpolates the configured root path directly into a regular expression when deriving the displayed directory path. If root contains regex metacharacters such as +, *, or ., the prefix stripping can fail and the generated directory listing may expose the full filesystem path in the HTML output. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-625"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:rack:rack:*:*:*:*:*:ruby:*:*", "versionEndExcluding": "2.2.23", "matchCriteriaId": "AD5DE7DE-3A8B-4064-A7D5-1E117A101E81"}, {"vulnerable": true, "criteria": "cpe:2.3:a:rack:rack:*:*:*:*:*:ruby:*:*", "versionStartIncluding": "3.0.0", "versionEndExcluding": "3.1.21", "matchCriteriaId": "6948AAA6-873D-46BA-AA22-4C81138128E1"}, {"vulnerable": true, "criteria": "cpe:2.3:a:rack:rack:*:*:*:*:*:ruby:*:*", "versionStartIncluding": "3.2.0", "versionEndExcluding": "3.2.6", "matchCriteriaId": "3FB592AD-E826-49BE-AC6D-E5F55FDCC96E"}]}]}], "references": [{"url": "https://github.com/rack/rack/security/advisories/GHSA-7mqq-6cf9-v2qp", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}