Rack: `Rack::Request` accepts invalid Host characters, enabling host allowlist bypass.

4.8 / 10

MEDIUM

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Description

Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 to before 3.1.21, and 3.2.0 to before 3.2.6, Rack::Request parses the Host header using an AUTHORITY regular expression that accepts characters not permitted in RFC-compliant hostnames, including /, ?, #, and @. Because req.host returns the full parsed value, applications that validate hosts using naive prefix or suffix checks can be bypassed. This can lead to host header poisoning in applications that use req.host, req.url, or req.base_url for link generation, redirects, or origin validation. This issue has been patched in versions 3.1.21 and 3.2.6.

Basic Information

ID CVE-2026-34835

Source GitHub_M

Published Apr 2, 2026 at 17:09

Modified Apr 2, 2026 at 17:44

Affected Product

Vendor rack

Product rack

Version >= 3.0.0.beta1, < 3.1.21

Affected Versions rack rack >= 3.0.0.beta1, < 3.1.21
rack rack >= 3.2.0, < 3.2.6

CWE Classification

CWE-1286

References

github.com /rack/rack/security/advisories/GHSA-g2pf-xv49-m2h5

{
    "lastseen": "",
    "description": "Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 to before 3.1.21, and 3.2.0 to before 3.2.6, Rack::Request parses the Host header using an AUTHORITY regular expression that accepts characters not permitted in RFC-compliant hostnames, including /, ?, #, and @. Because req.host returns the full parsed value, applications that validate hosts using naive prefix or suffix checks can be bypassed. This can lead to host header poisoning in applications that use req.host, req.url, or req.base_url for link generation, redirects, or origin validation. This issue has been patched in versions 3.1.21 and 3.2.6.",
    "published": "2026-04-02T17:09:07.047Z",
    "modified": "2026-04-02T17:44:03.453Z",
    "type": "cve",
    "title": "Rack: `Rack::Request` accepts invalid Host characters, enabling host allowlist bypass.",
    "source": "GitHub_M",
    "references": "https://github.com/rack/rack/security/advisories/GHSA-g2pf-xv49-m2h5",
    "id": "CVE-2026-34835",
    "bulletinFamily": "",
    "cwe": [
        "CWE-1286"
    ],
    "cvelist": null,
    "sourceData": "rack rack >= 3.0.0.beta1, < 3.1.21\nrack rack >= 3.2.0, < 3.2.6",
    "sourceHref": "",
    "cvss": {
        "score": 4.8,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "rack",
    "version": ">= 3.0.0.beta1, < 3.1.21",
    "vendor": "rack",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Rack: `Rack::Request` accepts invalid Host characters, enabling host allowlist bypass._CVE-2026-34835