{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34835", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-30T20:52:53.284Z", "datePublished": "2026-04-02T17:09:07.047Z", "dateUpdated": "2026-04-02T17:44:03.453Z"}, "containers": {"cna": {"title": "Rack: `Rack::Request` accepts invalid Host characters, enabling host allowlist bypass.", "problemTypes": [{"descriptions": [{"cweId": "CWE-1286", "lang": "en", "description": "CWE-1286: Improper Validation of Syntactic Correctness of Input", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/rack/rack/security/advisories/GHSA-g2pf-xv49-m2h5", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/rack/rack/security/advisories/GHSA-g2pf-xv49-m2h5"}], "affected": [{"vendor": "rack", "product": "rack", "versions": [{"version": ">= 3.0.0.beta1, < 3.1.21", "status": "affected"}, {"version": ">= 3.2.0, < 3.2.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-02T17:09:07.047Z"}, "descriptions": [{"lang": "en", "value": "Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 to before 3.1.21, and 3.2.0 to before 3.2.6, Rack::Request parses the Host header using an AUTHORITY regular expression that accepts characters not permitted in RFC-compliant hostnames, including /, ?, #, and @. Because req.host returns the full parsed value, applications that validate hosts using naive prefix or suffix checks can be bypassed. This can lead to host header poisoning in applications that use req.host, req.url, or req.base_url for link generation, redirects, or origin validation. This issue has been patched in versions 3.1.21 and 3.2.6."}], "source": {"advisory": "GHSA-g2pf-xv49-m2h5", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-02T17:43:54.517566Z", "id": "CVE-2026-34835", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T17:44:03.453Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34835", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-02T17:43:54.517566Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T17:43:58.046Z"}}], "cna": {"title": "Rack: `Rack::Request` accepts invalid Host characters, enabling host allowlist bypass.", "source": {"advisory": "GHSA-g2pf-xv49-m2h5", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "rack", "product": "rack", "versions": [{"status": "affected", "version": ">= 3.0.0.beta1, < 3.1.21"}, {"status": "affected", "version": ">= 3.2.0, < 3.2.6"}]}], "references": [{"url": "https://github.com/rack/rack/security/advisories/GHSA-g2pf-xv49-m2h5", "name": "https://github.com/rack/rack/security/advisories/GHSA-g2pf-xv49-m2h5", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 to before 3.1.21, and 3.2.0 to before 3.2.6, Rack::Request parses the Host header using an AUTHORITY regular expression that accepts characters not permitted in RFC-compliant hostnames, including /, ?, #, and @. Because req.host returns the full parsed value, applications that validate hosts using naive prefix or suffix checks can be bypassed. This can lead to host header poisoning in applications that use req.host, req.url, or req.base_url for link generation, redirects, or origin validation. This issue has been patched in versions 3.1.21 and 3.2.6."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1286", "description": "CWE-1286: Improper Validation of Syntactic Correctness of Input"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-02T17:09:07.047Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34835", "state": "PUBLISHED", "dateUpdated": "2026-04-02T17:44:03.453Z", "dateReserved": "2026-03-30T20:52:53.284Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-02T17:09:07.047Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 to before 3.1.21, and 3.2.0 to before 3.2.6, Rack::Request parses the Host header using an AUTHORITY regular expression that accepts characters not permitted in RFC-compliant hostnames, including /, ?, #, and @. Because req.host returns the full parsed value, applications that validate hosts using naive prefix or suffix checks can be bypassed. This can lead to host header poisoning in applications that use req.host, req.url, or req.base_url for link generation, redirects, or origin validation. This issue has been patched in versions 3.1.21 and 3.2.6."}], "id": "CVE-2026-34835", "lastModified": "2026-04-02T18:16:33.967", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 2.5, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-02T18:16:33.967", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/rack/rack/security/advisories/GHSA-g2pf-xv49-m2h5"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1286"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[3.0.0.beta1,3.1.21)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.2.0,3.2.6)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "rack", "source": "cna", "vendor": "rack"}, "product": "rack", "vendor": "rack"}], "analysis": {"en": {"generated_at": "2026-04-02T22:56:17.108744+00:00", "value": {"mitigation_remediation": ["Update Rack to version 3.1.21 or 3.2.6 or later"], "summary": {"action": "Apply Update", "impact": "Host header bypass leading to potential malicious redirects and link manipulation"}, "threat_synthesis": {"affected_systems": "Ruby web applications built on the Rack framework are directly affected. Specific vulnerable releases are Rack 3.0.0.beta1 up to 3.1.20 and Rack 3.2.0 up to 3.2.5. The issue was fixed in Rack 3.1.21 and 3.2.6. Users of these versions should verify that their environment runs a patched release.", "description_and_impact": "The vulnerability sits in Rack\u2019s request parsing logic where the Host header is matched against an AUTHORITY regular expression that accepts characters forbidden in RFC-compliant hostnames, such as '/', '?', '#', and '@'. Apps that determine a request\u2019s origin or generate URLs from req.host, req.url or req.base_url can inadvertently trust the attacker supplied value. Consequently, a crafted Host header can poison the host for redirects, link generation or origin validation, enabling phishing, open redirects or privilege escalation.", "risk_and_exploitability": "The CVSS base score of 4.8 indicates a moderate severity. Exploitation only requires that the attacker can send a custom Host header, which is trivial from any HTTP request. Because the EPSS score is unavailable and the vulnerability is not listed in CISA\u2019s KEV, there is currently no evidence of active exploitation. However, the attack path is straightforward, and the impact can be significant for applications that rely on host allowlists for security checks, making this a low to moderate risk that should be mitigated promptly."}}}}, "created": "2026-04-03T07:32:24.276589+00:00", "updated": "2026-04-03T09:18:12.537278+00:00", "vendors": ["rack", "rack$PRODUCT$rack"]}