CVE-2026-34835

Rack versions 3.0.0.beta1 through 3.1.21, and 3.2.0 through 3.2.6 are affected by an issue where the Rack::Request component improperly parses the Host header, accepting characters not permitted in RFC-compliant hostnames such as /, ?, #, and @. This can lead to host header poisoning in applications that use req.host, req.url, or req.base url for link generation, redirects, or origin validation. The issue is due to the use of an overly permissive regular expression for parsing the authority component of the Host header. Applications performing naive host validation may be vulnerable.

Recommendations: Update to Rack version 3.1.21 or 3.2.6 or later.