CVE-2026-34830

Name of the Vulnerable Software and Affected Versions Rack versions prior to 2.2.23, 3.1.21, and 3.2.6

Description Rack’s Rack::Sendfile#map accel path function directly uses the X-Accel-Mapping request header value in a regular expression for rewriting file paths used with X-Accel-Redirect. Because this header value is not properly sanitized, an attacker can inject regular expression metacharacters into the header and manipulate the generated X-Accel-Redirect response header. In deployments using Rack::Sendfile with x-accel-redirect, this can allow an attacker to cause nginx to serve unintended files from configured internal locations. The issue arises because the internal part of the mapping, sourced from the HTTP X ACCEL MAPPING request header, is directly inserted into a regular expression without escaping. An attacker can supply metacharacters like .* or capture groups to alter path substitution. This differs from the expected behavior of the header-based mapping, which should treat the header value as a literal path prefix. The issue is exploitable when untrusted X-Accel-Mapping headers reach Rack, such as in reverse proxy configurations that fail to set the header on some routes. This can lead to unauthorized file disclosure, with the impact depending on the deployment architecture.

Recommendations Update to Rack version 2.2.23 or later. Update to Rack version 3.1.21 or later. Update to Rack version 3.2.6 or later. Strip or overwrite inbound X-Accel-Mapping headers at the reverse proxy. Prefer explicit application-configured sendfile mappings instead of relying on request-header mappings.