Rack 3.2.03.2.5 Header Injection via Incorrect Multipart Header Unfolding
CVE-2026-26962 Published on April 2, 2026
Rack: Header injection in multipart requests
Rack is a modular Ruby web server interface. From version 3.2.0 to before version 3.2.6, Rack::Multipart::Parser unfolds folded multipart part headers incorrectly. When a multipart header contains an obs-fold sequence, Rack preserves the embedded CRLF in parsed parameter values such as filename or name instead of removing the folded line break during unfolding. As a result, applications that later reuse those parsed values in HTTP response headers may be vulnerable to downstream header injection or response splitting. This issue has been patched in version 3.2.6.
Vulnerability Analysis
CVE-2026-26962 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.
Weakness Type
What is a CRLF Injection Vulnerability?
The software uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.
CVE-2026-26962 has been classified to as a CRLF Injection vulnerability or weakness.
Products Associated with CVE-2026-26962
stack.watch emails you whenever new vulnerabilities are published in Rack or Canonical Ubuntu Linux. Just hit a watch button to start following.
Affected Versions
rack Version >= 3.2.0, < 3.2.6 is affected by CVE-2026-26962Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.