CVE-2026-34830: Rack: Rack::Sendfile regex injection via HTTP_X_ACCEL_MAPPING header allows arbitrary file reads through nginx

Published Apr 2, 2026
·
Updated

Summary

Rack::Sendfile#mapaccelpath interpolates the value of the X-Accel-Mapping request header directly into a regular expression when rewriting file paths for X-Accel-Redirect. Because the header value is not escaped, an attacker who can supply X-Accel-Mapping to the backend can inject regex metacharacters and control the generated X-Accel-Redirect response header.

In deployments using Rack::Sendfile with x-accel-redirect, this can allow an attacker to cause nginx to serve unintended files from configured internal locations.

Details

Rack::Sendfile#mapaccelpath processes header-supplied mappings using logic equivalent to:

ruby mapping.split(',').map(&:strip).each do |m| internal, external = m.split('=', 2).map(&:strip) newpath = path.sub(/\A#{internal}/i, external) return newpath unless path == newpath end

Here, internal comes from the HTTPXACCELMAPPING request header and is inserted directly into a regular expression without escaping. This gives the header value regex semantics rather than treating it as a literal prefix.

As a result, an attacker can supply metacharacters such as . or capture groups to alter how the path substitution is performed. For example, a mapping such as:

http X-Accel-Mapping: .=/protected/secret.txt

causes the entire source path to match and rewrites the redirect target to a clean attacker-chosen internal path.

This differs from the documented behavior of the header-based mapping path, which is described as a simple substitution. While application-supplied mappings may intentionally support regular expressions, header-supplied mappings should be treated as literal path prefixes.

The issue is only exploitable when untrusted X-Accel-Mapping headers can reach Rack. One realistic case is a reverse proxy configuration that intends to set X-Accel-Mapping itself, but fails to do so on some routes, allowing a client-supplied header to pass through unchanged.

Impact

Applications using Rack::Sendfile with x-accel-redirect may be affected if the backend accepts attacker-controlled X-Accel-Mapping headers.

In affected deployments, an attacker may be able to control the X-Accel-Redirect response header and cause nginx to serve files from internal locations that were not intended to be reachable through the application. This can lead to unauthorized file disclosure.

The practical impact depends on deployment architecture. If the proxy always strips or overwrites X-Accel-Mapping, or if the application uses explicit configured mappings instead of the request header, exploitability may be eliminated.

Mitigation

Update to a patched version of Rack that treats header-supplied X-Accel-Mapping values as literal strings rather than regular expressions. Strip or overwrite inbound X-Accel-Mapping headers at the reverse proxy so client-supplied values never reach Rack. Prefer explicit application-configured sendfile mappings instead of relying on request-header mappings. Review proxy sub-locations and inherited header settings to ensure X-Accel-Mapping is consistently set on all backend routes.

Other sources

Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Sendfile#mapaccelpath interpolates the value of the X-Accel-Mapping request header directly into a regular expression when rewriting file paths for X-Accel-Redirect. Because the header value is not escaped, an attacker who can supply X-Accel-Mapping to the backend can inject regex metacharacters and control the generated X-Accel-Redirect response header. In deployments using Rack::Sendfile with x-accel-redirect, this can allow an attacker to cause nginx to serve unintended files from configured internal locations. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.

MITRE

Affected Software

6 affected componentsFixes available
rubygems/rack>=3.2.0<3.2.6
3.2.6
rubygems/rack>=3.0.0.beta1<3.1.21
3.1.21
rubygems/rack<2.2.23
2.2.23
Rack Rack Ruby<2.2.23
Rack Rack Ruby>=3.0.0<3.1.21
Rack Rack Ruby>=3.2.0<3.2.6

Event History

Apr 2, 2026
CVE Published
via MITRE·04:47 PM
Data Sourced
via MITRE·04:47 PM
DescriptionSeverityWeakness
Data Sourced
via NVD·05:16 PM
DescriptionSeverityWeakness
Data Sourced
via NVD·05:16 PM
Affected Software
Advisory Published
via GitHub·08:35 PM
Data Sourced
via GitHub·08:35 PM
DescriptionSeverityWeaknessAffected Software
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2026-34830?

CVE-2026-34830 is classified as a high-severity vulnerability due to its potential for arbitrary file reads.

2

How do I fix CVE-2026-34830?

To mitigate CVE-2026-34830, upgrade to rack version 3.2.6, 3.1.21, or 2.2.23.

3

What is the impact of CVE-2026-34830?

CVE-2026-34830 allows attackers to exploit the X-Accel-Mapping header to read unauthorized files from the server.

4

Which versions of rack are affected by CVE-2026-34830?

CVE-2026-34830 affects rack versions prior to 3.2.6, 3.1.21, and 2.2.23.

5

What is the nature of CVE-2026-34830?

CVE-2026-34830 is a regex injection vulnerability that arises from improper handling of the HTTP_X_ACCEL_MAPPING header.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203