CVE-2026-26961

Name of the Vulnerable Software and Affected Versions Rack versions prior to 2.2.23, 3.1.21, and 3.2.6

Description Rack’s Rack::Multipart::Parser uses a greedy regular expression to extract the boundary parameter from multipart/form-data. When a Content-Type header contains multiple boundary parameters, Rack selects the last one instead of the first. This discrepancy can allow an attacker to smuggle multipart content past upstream inspection if an upstream proxy, WAF, or intermediary interprets the first boundary parameter, leading Rack to parse a different body structure than the intermediary validated. This can result in malicious form fields or uploaded content bypassing upstream filtering. The issue is most relevant in layered deployments where security decisions are made before the request reaches Rack.

Recommendations Update to Rack version 2.2.23 or later. Update to Rack version 3.1.21 or later. Update to Rack version 3.2.6 or later.