CVE-2026-22860

Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5, `Rack::Directory`’s path check used a string prefix match on the expanded path. A request like `/../root_example/` can escape the configured root if the target path starts with the root string, allowing directory listing outside the intended root. Versions 2.2.22, 3.1.20, and 3.2.5 fix the issue.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/rack/rack/commit/75c5745c286637a8f049a33790c71237762069e7	Patch
https://github.com/rack/rack/security/advisories/GHSA-mxw3-3hh2-x2mh	Exploit Mitigation Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:rack:rack::::::ruby::*
	cpe:2.3:a:rack:rack::::::ruby::*
	cpe:2.3:a:rack:rack::::::ruby::*

History

No history.

Information

Published : 2026-02-18 19:21

Updated : 2026-02-19 18:27

NVD link : CVE-2026-22860

Mitre link : CVE-2026-22860

CVE.ORG link : CVE-2026-22860

JSON object : View

Products Affected

rack

rack

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-548

Exposure of Information Through Directory Listing

{"id": "CVE-2026-22860", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2026-02-18T19:21:43.933", "references": [{"url": "https://github.com/rack/rack/commit/75c5745c286637a8f049a33790c71237762069e7", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/rack/rack/security/advisories/GHSA-mxw3-3hh2-x2mh", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-22"}, {"lang": "en", "value": "CWE-548"}]}], "descriptions": [{"lang": "en", "value": "Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5, `Rack::Directory`\u2019s path check used a string prefix match on the expanded path. A request like `/../root_example/` can escape the configured root if the target path starts with the root string, allowing directory listing outside the intended root. Versions 2.2.22, 3.1.20, and 3.2.5 fix the issue."}, {"lang": "es", "value": "Rack es una interfaz modular de servidor web Ruby. Antes de las versiones 2.2.22, 3.1.20 y 3.2.5, la verificaci\u00f3n de ruta de 'Rack::Directory' utilizaba una coincidencia de prefijo de cadena en la ruta expandida. Una solicitud como '/../root_example/' puede escapar de la ra\u00edz configurada si la ruta de destino comienza con la cadena ra\u00edz, permitiendo la enumeraci\u00f3n de directorios fuera de la ra\u00edz prevista. Las versiones 2.2.22, 3.1.20 y 3.2.5 solucionan el problema."}], "lastModified": "2026-02-19T18:27:09.117", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:rack:rack:*:*:*:*:*:ruby:*:*", "vulnerable": true, "matchCriteriaId": "58D73D7A-523C-4472-9322-87B5E7A785CA", "versionEndExcluding": "2.2.22"}, {"criteria": "cpe:2.3:a:rack:rack:*:*:*:*:*:ruby:*:*", "vulnerable": true, "matchCriteriaId": "76491EC1-2EA1-492E-97B2-2427EDFB0E07", "versionEndExcluding": "3.1.20", "versionStartIncluding": "3.0.0"}, {"criteria": "cpe:2.3:a:rack:rack:*:*:*:*:*:ruby:*:*", "vulnerable": true, "matchCriteriaId": "653A4AF6-055E-46F2-992E-C6624BBF8A25", "versionEndExcluding": "3.2.5", "versionStartIncluding": "3.2.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}