CVE-2026-34785: Rack: Local file inclusion in `Rack::Static` via URL Prefix Matching
Summary
Rack::Static determines whether a request should be served as a static file using a simple string prefix check. When configured with URL prefixes such as "/css", it matches any request path that begins with that string, including unrelated paths such as "/css-config.env" or "/css-backup.sql".
As a result, files under the static root whose names merely share the configured prefix may be served unintentionally, leading to information disclosure.
Details
Rack::Static#routefile performs static-route matching using logic equivalent to:
ruby @urls.any? { |url| path.index(url) == 0 }
This checks only whether the request path starts with the configured prefix string. It does not require a path segment boundary after the prefix.
For example, with:
ruby use Rack::Static, urls: ["/css", "/js"], root: "public"
the following path is matched as intended:
text /css/style.css
but these paths are also matched:
text /css-config.env /css-backup.sql /csssecrets.yml
If such files exist under the configured static root, Rack forwards the request to the file server and serves them as static content.
This means a configuration intended to expose only directory trees such as /css/... and /js/... may also expose sibling files whose names begin with those same strings.
Impact
An attacker can request files under the configured static root whose names share a configured URL prefix and obtain their contents.
In affected deployments, this may expose configuration files, secrets, backups, environment files, or other unintended static content located under the same root directory.
Mitigation
Update to a patched version of Rack that enforces a path boundary when matching configured static URL prefixes. Match only paths that are either exactly equal to the configured prefix or begin with prefix + "/". Avoid placing sensitive files under the Rack::Static root directory. Prefer static URL mappings that cannot overlap with sensitive filenames.
Other sources
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Static determines whether a request should be served as a static file using a simple string prefix check. When configured with URL prefixes such as "/css", it matches any request path that begins with that string, including unrelated paths such as "/css-config.env" or "/css-backup.sql". As a result, files under the static root whose names merely share the configured prefix may be served unintentionally, leading to information disclosure. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.
— MITRE
Affected Software
Event History
Frequently Asked Questions
What is the severity of CVE-2026-34785?
CVE-2026-34785 has a moderate severity rating due to the potential for local file inclusion vulnerabilities.
How do I fix CVE-2026-34785?
To fix CVE-2026-34785, upgrade Rack to version 2.2.24, 3.1.22, or 3.2.7 or later.
What types of applications are affected by CVE-2026-34785?
CVE-2026-34785 affects applications using vulnerable versions of the Rack framework configured with specific URL prefixes.
Is CVE-2026-34785 a remote or local attack vulnerability?
CVE-2026-34785 is categorized as a local file inclusion vulnerability, which requires local access to exploit.
What components of Rack are vulnerable in CVE-2026-34785?
CVE-2026-34785 specifically impacts the Rack::Static component of the Rack framework.