CVE-2026-22860: Rack has a Directory Traversal via Rack:Directory

Published Feb 17, 2026
·
Updated

Summary

Rack::Directory’s path check used a string prefix match on the expanded path. A request like /../rootexample/ can escape the configured root if the target path starts with the root string, allowing directory listing outside the intended root.

Details

In directory.rb, File.expandpath(File.join(root, pathinfo)).startwith?(root) does not enforce a path boundary. If the server root is /var/www/root, a path like /var/www/rootbackup passes the check because it shares the same prefix, so Rack::Directory will list that directory also.

Impact

Information disclosure via directory listing outside the configured root when Rack::Directory is exposed to untrusted clients and a directory shares the root prefix (e.g., public2, wwwbackup).

Mitigation

Update to a patched version of Rack that correctly checks the root prefix. Don't name directories with the same prefix as one which is exposed via Rack::Directory.

Other sources

Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5, Rack::Directory’s path check used a string prefix match on the expanded path. A request like /../rootexample/ can escape the configured root if the target path starts with the root string, allowing directory listing outside the intended root. Versions 2.2.22, 3.1.20, and 3.2.5 fix the issue.

NVD

Affected Software

7 affected componentsFixes available
rubygems/rack>=3.2.0<3.2.5
3.2.5
rubygems/rack>=3.0.0.beta1<3.1.20
3.1.20
rubygems/rack<2.2.22
2.2.22
Rack Rack Ruby<2.2.22
Rack Rack Ruby>=3.0.0<3.1.20
Rack Rack Ruby>=3.2.0<3.2.5
IBM Aspera Shares<=1.9.9 - 1.11.0

Remediation

Patch Available

https://github.com/rack/rack/commit/75c5745c286637a8f049a33790c71237762069e7

Event History

Feb 17, 2026
Advisory Published
via GitHub·04:14 PM
Data Sourced
via GitHub·04:14 PM
DescriptionSeverityWeaknessAffected Software
Feb 18, 2026
CVE Published
via MITRE·06:45 PM
Data Sourced
via MITRE·06:45 PM
DescriptionSeverityWeakness
Data Sourced
via NVD·07:21 PM
RemedyDescriptionSeverityWeaknessAffected Software
Mar 27, 2026
Data Sourced
via IBM·12:00 AM
DescriptionAffected Software

Parent advisories

This vulnerability appears in the following advisories.

Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2026-22860?

CVE-2026-22860 is considered a high severity vulnerability due to its potential to allow directory listing outside the intended root.

2

How do I fix CVE-2026-22860?

To fix CVE-2026-22860, upgrade Rack to version 3.2.5, 3.1.20, or 2.2.22 or later.

3

What vulnerabilities are associated with CVE-2026-22860?

CVE-2026-22860 affects versions of Rack prior to 3.2.5, 3.1.20, and 2.2.22.

4

What is the impact of CVE-2026-22860?

The impact of CVE-2026-22860 can result in unauthorized access to files outside the intended directory structure.

5

Who is affected by CVE-2026-22860?

Developers and applications using vulnerable versions of the Rack library are affected by CVE-2026-22860.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203