CVE-2026-34785

Name of the Vulnerable Software and Affected Versions Rack versions prior to 2.2.23, 3.1.21, and 3.2.6

Description Rack::Static uses a simple string prefix check to determine if a request should be served as a static file. When configured with URL prefixes like "/css", it matches any request path starting with that string, including unrelated paths such as "/css-config.env" or "/css-backup.sql". This can lead to unintentional serving of files under the static root that share the configured prefix, resulting in information disclosure. The issue occurs because the matching logic only checks if the request path starts with the prefix string, without requiring a path segment boundary. For example, with a configuration use Rack::Static, urls: ["/css", "/js"], root: "public", paths like /css-config.env and /css-backup.sql are also matched if such files exist under the static root. This can expose configuration files, secrets, backups, or other unintended static content.

Recommendations Update to Rack version 2.2.23 or later. Update to Rack version 3.1.21 or later. Update to Rack version 3.2.6 or later. Avoid placing sensitive files under the Rack::Static root directory. Prefer static URL mappings that cannot overlap with sensitive filenames.