{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-34785/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-34785"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["rack","information-disclosure","CVE-2026-34785","ruby","webserver"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eRack, a modular Ruby web server interface, is susceptible to an information disclosure vulnerability in versions prior to 2.2.23, 3.1.21, and 3.2.6. The flaw resides in the Rack::Static middleware component, which uses a simple string prefix check to determine if a request should be served as a static file. When configured with URL prefixes, such as \u0026ldquo;/css\u0026rdquo;, Rack::Static incorrectly matches any request path starting with \u0026ldquo;/css\u0026rdquo;, potentially serving unintended files like \u0026ldquo;/css-config.env\u0026rdquo; or \u0026ldquo;/css-backup.sql\u0026rdquo;. This allows unauthorized access to sensitive files located under the static root directory. This vulnerability, identified as CVE-2026-34785, can lead to the disclosure of configuration files, database backups, and other sensitive information. The vulnerability has been patched in Rack versions 2.2.23, 3.1.21, and 3.2.6.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a Rack-based web application using a vulnerable version of Rack (prior to 2.2.23, 3.1.21, or 3.2.6).\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a static file directory configured in the Rack application, for example using a path prefix like \u0026ldquo;/css\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious request targeting a sensitive file within the static directory, such as \u0026ldquo;/css-config.env\u0026rdquo; or \u0026ldquo;/css-backup.sql\u0026rdquo;, that shares the configured prefix but is not intended to be served publicly.\u003c/li\u003e\n\u003cli\u003eThe Rack::Static middleware incorrectly matches the malicious request due to the simple string prefix check.\u003c/li\u003e\n\u003cli\u003eThe web server serves the unintended file to the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker gains access to sensitive information contained in the served file.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the disclosed information to further compromise the application or infrastructure.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability (CVE-2026-34785) can lead to the disclosure of sensitive information, including configuration files, database backups, and other critical data. The impact severity is dependent on the nature of the exposed files. For example, exposure of database credentials could result in a full compromise of the application\u0026rsquo;s data. Organizations using vulnerable Rack versions are susceptible to information breaches if they rely on Rack::Static to serve files.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Rack to version 2.2.23, 3.1.21, or 3.2.6 or later to patch CVE-2026-34785.\u003c/li\u003e\n\u003cli\u003eReview Rack::Static configurations to ensure appropriate restrictions are in place for serving static files.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Suspicious Rack Static File Access\u0026rdquo; to identify attempts to access files with similar prefixes.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs (category: webserver) for unusual requests with file extensions such as \u003ccode\u003e.env\u003c/code\u003e, \u003ccode\u003e.sql\u003c/code\u003e, \u003ccode\u003e.bak\u003c/code\u003e that fall under static directories (e.g., /css, /js, /img).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-02T17:16:24Z","date_published":"2026-04-02T17:16:24Z","id":"/briefs/2026-04-rack-static-disclosure/","summary":"Rack versions prior to 2.2.23, 3.1.21, and 3.2.6 are vulnerable to information disclosure due to improper static file serving via a prefix matching issue in Rack::Static.","title":"Rack::Static Information Disclosure Vulnerability (CVE-2026-34785)","url":"https://feed.craftedsignal.io/briefs/2026-04-rack-static-disclosure/"}],"language":"en","title":"CraftedSignal Threat Feed — CVE-2026-34785","version":"https://jsonfeed.org/version/1.1"}