Rack has a Directory Traversal via Rack:Directory_CVE-2026-22860

7.5 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Description

Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5, `Rack::Directory`’s path check used a string prefix match on the expanded path. A request like `/../root_example/` can escape the configured root if the target path starts with the root string, allowing directory listing outside the intended root. Versions 2.2.22, 3.1.20, and 3.2.5 fix the issue.

Basic Information

ID CVE-2026-22860

Source GitHub_M

Published Feb 18, 2026 at 18:45

Affected Product

Vendor rack

Product rack

Version < 2.2.22

Affected Versions rack rack < 2.2.22
rack rack >= 3.0.0.beta1, < 3.1.20
rack rack >= 3.2.0, < 3.2.5

CWE Classification

CWE-22 CWE-548

References

{
    "lastseen": "",
    "description": "Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5, `Rack::Directory`\u2019s path check used a string prefix match on the expanded path. A request like `/../root_example/` can escape the configured root if the target path starts with the root string, allowing directory listing outside the intended root. Versions 2.2.22, 3.1.20, and 3.2.5 fix the issue.",
    "published": "2026-02-18T18:45:02.095Z",
    "modified": "2026-02-18T18:45:02.095Z",
    "type": "cve",
    "title": "Rack has a Directory Traversal via Rack:Directory",
    "source": "GitHub_M",
    "references": "https://github.com/rack/rack/security/advisories/GHSA-mxw3-3hh2-x2mh\nhttps://github.com/rack/rack/commit/75c5745c286637a8f049a33790c71237762069e7",
    "id": "CVE-2026-22860",
    "bulletinFamily": "",
    "cwe": [
        "CWE-22",
        "CWE-548"
    ],
    "cvelist": null,
    "sourceData": "rack rack < 2.2.22\nrack rack >= 3.0.0.beta1, < 3.1.20\nrack rack >= 3.2.0, < 3.2.5",
    "sourceHref": "",
    "cvss": {
        "score": 7.5,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "rack",
    "version": "< 2.2.22",
    "vendor": "rack",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}