Rack vulnerabilities
Summary
Andrew Lacambra discovered that Rack did not properly parse certain regular expressions. An attacker could possibly use this issue to bypass network security filters. This issue only affected Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, and Ubuntu 25.10. (CVE-2026-26961) William T. Nelson discovered that Rack did not handle multipart headers correctly. An attacker could possibly use this issue to cause downstream parsing issues or a denial of service. This issue only affected Ubuntu 25.10. (CVE-2026-26962) It was discovered that Rack did not handle the Forwarded header correctly. An attacker could possibly use this issue to manipulate header values. This issue only affected Ubuntu 25.10. (CVE-2026-32762) It was discovered that Rack could consume excessive CPU when handling certain Accept-Encoding values. An attacker could possibly use this issue to cause a denial of service. (CVE-2026-34230) Haruki Oyama discovered that certain configurations of Rack could erroneously fail to derive the displayed directory path, and expose the full filesystem path. An attacker could possibly use this issue to disclose deployment details such as layout and usernames. (CVE-2026-34763) It was discovered that Rack did not properly handle static file paths. An attacker could possibly use this issue to exfiltrate unintentionally served data. (CVE-2026-34785) Haruki Oyama discovered that Rack Affected Ubuntu releases: 25.10, 24.04, 22.04, 20.04, 18.04, 16.04, 14.04. CVEs: CVE-2026-26962, CVE-2026-34827, CVE-2026-26961, CVE-2026-34835, CVE-2026-32762, CVE-2026-34826, CVE-2026-34786, CVE-2026-34785….
- Ubuntu 25.10
- Ubuntu 24.04
- Ubuntu 22.04
- Ubuntu 20.04
- Ubuntu 18.04
- Ubuntu 16.04
- Ubuntu 14.04
Official advisory · medium-confidence parse· fetched 3 hours ago·verify at source
Mitigation checklist
- Apply available updates: `sudo apt update && sudo apt upgrade` (a standard system update installs the fix).
Official advisory · medium-confidence parse· fetched 3 hours ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.