CVE-2026-34830 MEDIUM

CVE-2026-34830: Rack: Rack::Sendfile regex injection via HTTP_X_ACCEL_MAPPING header allows arbitrary file reads through nginx

Vendor Rack

Product rack

Weakness CWE-625

Published April 2, 2026

Last update April 2, 2026

View on NVD All CVEs

CVSS base score

5.9/10

Attack vector Network

Attack complexity High

Privileges required None

User interaction None

Confidentiality High

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

Description

Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Sendfile#map_accel_path interpolates the value of the X-Accel-Mapping request header directly into a regular expression when rewriting file paths for X-Accel-Redirect. Because the header value is not escaped, an attacker who can supply X-Accel-Mapping to the backend can inject regex metacharacters and control the generated X-Accel-Redirect response header. In deployments using Rack::Sendfile with x-accel-redirect, this can allow an attacker to cause nginx to serve unintended files from configured internal locations. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.

Key dates

Disclosure timeline

April 2, 2026 CVE published

April 2, 2026 Record updated

Identifiers

CVE CVE-2026-34830

CWE CWE-625

CVSS 5.9 / MEDIUM

Affected versions

Vendor Rack

Product rack

Affected < 2.2.23

Vendor Rack

Product rack

Affected >= 3.0.0.beta1, < 3.1.21

Vendor Rack

Product rack

Affected >= 3.2.0, < 3.2.6