{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-26962", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-16T22:20:28.612Z", "datePublished": "2026-04-02T17:10:17.091Z", "dateUpdated": "2026-04-03T18:13:06.632Z"}, "containers": {"cna": {"title": "Rack: Header injection in multipart requests", "problemTypes": [{"descriptions": [{"cweId": "CWE-93", "lang": "en", "description": "CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/rack/rack/security/advisories/GHSA-rx22-g9mx-qrhv", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/rack/rack/security/advisories/GHSA-rx22-g9mx-qrhv"}], "affected": [{"vendor": "rack", "product": "rack", "versions": [{"version": ">= 3.2.0, < 3.2.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-02T17:10:17.091Z"}, "descriptions": [{"lang": "en", "value": "Rack is a modular Ruby web server interface. From version 3.2.0 to before version 3.2.6, Rack::Multipart::Parser unfolds folded multipart part headers incorrectly. When a multipart header contains an obs-fold sequence, Rack preserves the embedded CRLF in parsed parameter values such as filename or name instead of removing the folded line break during unfolding. As a result, applications that later reuse those parsed values in HTTP response headers may be vulnerable to downstream header injection or response splitting. This issue has been patched in version 3.2.6."}], "source": {"advisory": "GHSA-rx22-g9mx-qrhv", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-02T18:31:17.511210Z", "id": "CVE-2026-26962", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T18:13:06.632Z"}}]}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Rack is a modular Ruby web server interface. From version 3.2.0 to before version 3.2.6, Rack::Multipart::Parser unfolds folded multipart part headers incorrectly. When a multipart header contains an obs-fold sequence, Rack preserves the embedded CRLF in parsed parameter values such as filename or name instead of removing the folded line break during unfolding. As a result, applications that later reuse those parsed values in HTTP response headers may be vulnerable to downstream header injection or response splitting. This issue has been patched in version 3.2.6."}], "id": "CVE-2026-26962", "lastModified": "2026-04-03T16:10:23.730", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 2.5, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-02T18:16:26.773", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/rack/rack/security/advisories/GHSA-rx22-g9mx-qrhv"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Undergoing Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-93"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.2.0,3.2.6)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "rack", "source": "cna", "vendor": "rack"}, "product": "rack", "vendor": "rack"}], "analysis": {"en": {"generated_at": "2026-04-02T21:40:21.873812+00:00", "value": {"mitigation_remediation": ["Apply the Rack patch v3.2.6 or later", "Verify that your Rack installation is updated to a non\u2011affected version", "If a patch is not yet available, monitor for official releases and deploy as soon as possible", "Consider disabling or sanitizing application usage of multipart header values in HTTP responses to mitigate exposure"], "summary": {"action": "Patch", "impact": "Header injection in HTTP responses"}, "threat_synthesis": {"affected_systems": "The affected product is Rack, a modular Ruby web server interface, specifically versions 3.2.0 up to, but not including, 3.2.6. Versions prior to 3.2.0 are not affected, and the issue was fixed in 3.2.6. Users running any of the affected releases should verify which RC they are using and plan an update accordingly.", "description_and_impact": "Rack, a Ruby web server interface, contains an issue in its multipart parsing logic from version 3.2.0 through 3.2.5. The parser fails to remove folded line breaks (obs-fold) when unfolding multipart headers, causing the CRLF characters to remain embedded in parsed values such as filename or name. If these parsed values are later used in HTTP response headers, an attacker can inject arbitrary headers or split the response. This vulnerability is classified as a header injection weakness (CWE\u201193) and can potentially lead to response splitting, redirection, or other injection-based attacks. The impact is limited to the attacker's ability to influence HTTP response headers, which may affect confidentiality, integrity, or availability of the application but does not grant arbitrary code execution.", "risk_and_exploitability": "The CVSS score is 4.8, indicating moderate severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a crafted multipart HTTP request containing folded header lines; the attacker must be able to submit such a request to the target application. The requirement to exploit the flaw is low to moderate, making it potentially exploitable in uncontrolled or poorly validated environments, but it does not provide privilege escalation beyond the application's current context."}}}}, "created": "2026-04-03T07:32:23.285331+00:00", "updated": "2026-04-03T09:18:11.307143+00:00", "vendors": ["rack", "rack$PRODUCT$rack"]}