CVE-2026-22860

Name of the Vulnerable Software and Affected Versions Rack versions prior to 2.2.22 Rack versions prior to 3.1.20 Rack versions prior to 3.2.5

Description The Rack::Directory component had a path check that used a string prefix match on the expanded path. A crafted request, such as /../root example/, could bypass the configured root if the target path shared a prefix with the root string, potentially enabling directory listing outside the intended root. This occurs because the check File.expand path(File.join(root, path info)).start with?(root) does not enforce a path boundary. For example, if the server root is /var/www/root, a path like /var/www/root backup could pass the check. This could lead to information disclosure via directory listing when Rack::Directory is exposed to untrusted clients and a directory shares the root prefix.

Recommendations Update Rack to version 2.2.22 or later. Update Rack to version 3.1.20 or later. Update Rack to version 3.2.5 or later. Avoid naming directories with the same prefix as those exposed via Rack::Directory.