{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-26961", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-16T22:20:28.611Z", "datePublished": "2026-04-02T16:42:16.766Z", "dateUpdated": "2026-04-02T16:42:16.766Z"}, "containers": {"cna": {"title": "Rack: Multipart Boundary Parsing Ambiguity allowing WAF Bypass", "problemTypes": [{"descriptions": [{"cweId": "CWE-436", "lang": "en", "description": "CWE-436: Interpretation Conflict", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/rack/rack/security/advisories/GHSA-vgpv-f759-9wx3", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/rack/rack/security/advisories/GHSA-vgpv-f759-9wx3"}], "affected": [{"vendor": "rack", "product": "rack", "versions": [{"version": "< 2.2.23", "status": "affected"}, {"version": ">= 3.0.0.beta1, < 3.1.21", "status": "affected"}, {"version": ">= 3.2.0, < 3.2.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-02T16:42:16.766Z"}, "descriptions": [{"lang": "en", "value": "Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Multipart::Parser extracts the boundary parameter from multipart/form-data using a greedy regular expression. When a Content-Type header contains multiple boundary parameters, Rack selects the last one rather than the first. In deployments where an upstream proxy, WAF, or intermediary interprets the first boundary parameter, this mismatch can allow an attacker to smuggle multipart content past upstream inspection and have Rack parse a different body structure than the intermediary validated. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6."}], "source": {"advisory": "GHSA-vgpv-f759-9wx3", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Multipart::Parser extracts the boundary parameter from multipart/form-data using a greedy regular expression. When a Content-Type header contains multiple boundary parameters, Rack selects the last one rather than the first. In deployments where an upstream proxy, WAF, or intermediary interprets the first boundary parameter, this mismatch can allow an attacker to smuggle multipart content past upstream inspection and have Rack parse a different body structure than the intermediary validated. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6."}], "id": "CVE-2026-26961", "lastModified": "2026-04-02T17:16:21.973", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-02T17:16:21.973", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/rack/rack/security/advisories/GHSA-vgpv-f759-9wx3"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-436"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.2.23)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.0.0.beta1,3.1.21)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.2.0,3.2.6)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "rack", "source": "cna", "vendor": "rack"}, "product": "rack", "vendor": "rack"}], "analysis": {"en": {"generated_at": "2026-04-02T21:41:15.395235+00:00", "value": {"mitigation_remediation": ["Upgrade Rack to version 2.2.23 or newer, 3.1.21 or newer, or 3.2.6 or newer, depending on your environment."], "summary": {"action": "Apply patch", "impact": "WAF bypass"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Rack web server framework. Versions prior to 2.2.23, 3.1.21, and 3.2.6 are impacted. Updating to the specified patched releases resolves the issue.", "description_and_impact": "Rack, the Ruby web server interface, uses a greedy regular expression to extract the boundary parameter from multipart/form-data. When a Content-Type header contains multiple boundary parameters, Rack incorrectly selects the last one instead of the first. This mismatch allows an attacker to embed multipart content that passes through upstream proxies, WAFs, or other intermediaries while Rack interprets a different body structure. The result is a potential bypass of upstream inspection, enabling malicious data to reach the application with little to no filtering.", "risk_and_exploitability": "The CVSS score of 3.7 indicates a low severity but the flaw can be exploited remotely via crafted HTTP requests that deliver multiple boundary parameters. No exploit probability score is available, and the vulnerability is not listed in the CISA KEV catalog. Attackers would need to send a specially crafted request that passes through an upstream inspection system that follows the first boundary parameter, while Rack uses the last parameter, allowing content to bypass the intermediary checks."}}}}, "created": "2026-04-03T07:36:08.357144+00:00", "updated": "2026-04-03T09:18:30.607564+00:00", "vendors": ["rack", "rack$PRODUCT$rack"]}