{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32762", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-13T18:53:03.533Z", "datePublished": "2026-04-02T17:06:50.819Z", "dateUpdated": "2026-04-02T17:42:42.305Z"}, "containers": {"cna": {"title": "Rack: Forwarded Header semicolon injection enables Host and Scheme spoofing", "problemTypes": [{"descriptions": [{"cweId": "CWE-436", "lang": "en", "description": "CWE-436: Interpretation Conflict", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/rack/rack/security/advisories/GHSA-qfgr-crr9-7r49", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/rack/rack/security/advisories/GHSA-qfgr-crr9-7r49"}], "affected": [{"vendor": "rack", "product": "rack", "versions": [{"version": ">= 3.0.0.beta1, < 3.1.21", "status": "affected"}, {"version": ">= 3.2.0, < 3.2.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-02T17:06:50.819Z"}, "descriptions": [{"lang": "en", "value": "Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 to before 3.1.21 and 3.2.0 to before 3.2.6, Rack::Utils.forwarded_values parses the RFC 7239 Forwarded header by splitting on semicolons before handling quoted-string values. Because quoted values may legally contain semicolons, a header can be interpreted by Rack as multiple Forwarded directives rather than as a single quoted for value. In deployments where an upstream proxy, WAF, or intermediary validates or preserves quoted Forwarded values differently, this discrepancy can allow an attacker to smuggle host, proto, for, or by parameters through a single header value. This issue has been patched in versions 3.1.21 and 3.2.6."}], "source": {"advisory": "GHSA-qfgr-crr9-7r49", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-02T17:42:32.117443Z", "id": "CVE-2026-32762", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T17:42:42.305Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32762", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-02T17:42:32.117443Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T17:42:37.595Z"}}], "cna": {"title": "Rack: Forwarded Header semicolon injection enables Host and Scheme spoofing", "source": {"advisory": "GHSA-qfgr-crr9-7r49", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "rack", "product": "rack", "versions": [{"status": "affected", "version": ">= 3.0.0.beta1, < 3.1.21"}, {"status": "affected", "version": ">= 3.2.0, < 3.2.6"}]}], "references": [{"url": "https://github.com/rack/rack/security/advisories/GHSA-qfgr-crr9-7r49", "name": "https://github.com/rack/rack/security/advisories/GHSA-qfgr-crr9-7r49", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 to before 3.1.21 and 3.2.0 to before 3.2.6, Rack::Utils.forwarded_values parses the RFC 7239 Forwarded header by splitting on semicolons before handling quoted-string values. Because quoted values may legally contain semicolons, a header can be interpreted by Rack as multiple Forwarded directives rather than as a single quoted for value. In deployments where an upstream proxy, WAF, or intermediary validates or preserves quoted Forwarded values differently, this discrepancy can allow an attacker to smuggle host, proto, for, or by parameters through a single header value. This issue has been patched in versions 3.1.21 and 3.2.6."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-436", "description": "CWE-436: Interpretation Conflict"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-02T17:06:50.819Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32762", "state": "PUBLISHED", "dateUpdated": "2026-04-02T17:42:42.305Z", "dateReserved": "2026-03-13T18:53:03.533Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-02T17:06:50.819Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 to before 3.1.21 and 3.2.0 to before 3.2.6, Rack::Utils.forwarded_values parses the RFC 7239 Forwarded header by splitting on semicolons before handling quoted-string values. Because quoted values may legally contain semicolons, a header can be interpreted by Rack as multiple Forwarded directives rather than as a single quoted for value. In deployments where an upstream proxy, WAF, or intermediary validates or preserves quoted Forwarded values differently, this discrepancy can allow an attacker to smuggle host, proto, for, or by parameters through a single header value. This issue has been patched in versions 3.1.21 and 3.2.6."}], "id": "CVE-2026-32762", "lastModified": "2026-04-02T18:16:27.730", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 2.5, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-02T18:16:27.730", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/rack/rack/security/advisories/GHSA-qfgr-crr9-7r49"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-436"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[3.0.0.beta1,3.1.21)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.2.0,3.2.6)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "rack", "source": "cna", "vendor": "rack"}, "product": "rack", "vendor": "rack"}], "analysis": {"en": {"generated_at": "2026-04-02T22:34:40.266451+00:00", "value": {"mitigation_remediation": ["Upgrade Rack to at least version 3.1.21 or 3.2.6.", "Verify the deployed version, for example by checking the gem specification or runtime environment.", "Restart the web application to ensure the updated Rack middleware is loaded."], "summary": {"action": "Apply Patch", "impact": "Host and Scheme Spoofing"}, "threat_synthesis": {"affected_systems": "The vulnerable product is Rack. Versions from 3.0.0.beta1 up to 3.1.20, and from 3.2.0 up to 3.2.5, are affected. The issue is fixed in Rack 3.1.21 and 3.2.6.", "description_and_impact": "Rack, a modular Ruby web server interface, interprets the RFC 7239 Forwarded header by splitting on semicolons before processing quoted-string values. Quoted values may legitimately contain semicolons, so a single header can be read as multiple Forwarded directives instead of a single quoted value. This parsing quirk allows an attacker to smuggle host, proto, for, or by parameters into one header, causing Rack to believe the request originates from a forged host or scheme. The result is host and scheme spoofing, which can mislead applications that rely on these header values for authentication or routing.", "risk_and_exploitability": "The vulnerability has a CVSS score of 4.8, indicating moderate severity. No EPSS data is available and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is a remote HTTP request that includes a malicious Forwarded header to the Rack application. The attacker only needs to send a request that incorporates the forged header. Successful exploitation results in host or scheme spoofing, potentially undermining any logic that depends on these forwarded values."}}}}, "created": "2026-04-03T07:32:27.240733+00:00", "updated": "2026-04-03T09:18:15.494715+00:00", "vendors": ["rack", "rack$PRODUCT$rack"]}