Regex Injection via X-Accel-Mapping in Rack::Sendfile 3.2.6
CVE-2026-34830 Published on April 2, 2026
Rack: Rack::Sendfile regex injection via HTTP_X_ACCEL_MAPPING header allows arbitrary file reads through nginx
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Sendfile#map_accel_path interpolates the value of the X-Accel-Mapping request header directly into a regular expression when rewriting file paths for X-Accel-Redirect. Because the header value is not escaped, an attacker who can supply X-Accel-Mapping to the backend can inject regex metacharacters and control the generated X-Accel-Redirect response header. In deployments using Rack::Sendfile with x-accel-redirect, this can allow an attacker to cause nginx to serve unintended files from configured internal locations. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.
Vulnerability Analysis
CVE-2026-34830 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.
Weakness Type
Permissive Regular Expression
The product uses a regular expression that does not sufficiently restrict the set of allowed values.
Products Associated with CVE-2026-34830
stack.watch emails you whenever new vulnerabilities are published in Rack or Canonical Ubuntu Linux. Just hit a watch button to start following.
Affected Versions
rack:- Version < 2.2.23 is affected.
- Version >= 3.0.0.beta1, < 3.1.21 is affected.
- Version >= 3.2.0, < 3.2.6 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.