Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.5
Rack: Malicious requests can reveal directories outside the intended root
CVE-2026-22860
GHSA-mxw3-3hh2-x2mh
Summary
A security issue in Rack can allow attackers to see directories outside the intended secure area of a website. This is a concern if you're using Rack with a directory that has a name that matches the root directory. To stay safe, update to a patched version of Rack or choose directory names that don't match the root directory.
What to do
- Update leah neukirchen rack to version 2.2.22.
- Update leah neukirchen rack to version 3.1.20.
- Update leah neukirchen rack to version 3.2.5.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| leah neukirchen | rack | <= 2.2.22 | 2.2.22 |
| leah neukirchen | rack | > 3.0.0.beta1 , <= 3.1.20 | 3.1.20 |
| leah neukirchen | rack | > 3.2.0 , <= 3.2.5 | 3.2.5 |
| rack | rack | <= 2.2.22 | – |
| rack | rack | > 3.0.0 , <= 3.1.20 | – |
| rack | rack | > 3.2.0 , <= 3.2.5 | – |
Original title
Rack has a Directory Traversal via Rack:Directory
Original description
## Summary
`Rack::Directory`’s path check used a string prefix match on the expanded path. A request like `/../root_example/` can escape the configured root if the target path starts with the root string, allowing directory listing outside the intended root.
## Details
In `directory.rb`, `File.expand_path(File.join(root, path_info)).start_with?(root)` does not enforce a path boundary. If the server root is `/var/www/root`, a path like `/var/www/root_backup` passes the check because it shares the same prefix, so `Rack::Directory` will list that directory also.
## Impact
Information disclosure via directory listing outside the configured root when `Rack::Directory` is exposed to untrusted clients and a directory shares the root prefix (e.g., `public2`, `www_backup`).
## Mitigation
* Update to a patched version of Rack that correctly checks the root prefix.
* Don't name directories with the same prefix as one which is exposed via `Rack::Directory`.
`Rack::Directory`’s path check used a string prefix match on the expanded path. A request like `/../root_example/` can escape the configured root if the target path starts with the root string, allowing directory listing outside the intended root.
## Details
In `directory.rb`, `File.expand_path(File.join(root, path_info)).start_with?(root)` does not enforce a path boundary. If the server root is `/var/www/root`, a path like `/var/www/root_backup` passes the check because it shares the same prefix, so `Rack::Directory` will list that directory also.
## Impact
Information disclosure via directory listing outside the configured root when `Rack::Directory` is exposed to untrusted clients and a directory shares the root prefix (e.g., `public2`, `www_backup`).
## Mitigation
* Update to a patched version of Rack that correctly checks the root prefix.
* Don't name directories with the same prefix as one which is exposed via `Rack::Directory`.
nvd CVSS3.1
7.5
Vulnerability type
CWE-22
Path Traversal
CWE-548
- https://nvd.nist.gov/vuln/detail/CVE-2026-22860
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2026-22860...
- https://github.com/advisories/GHSA-mxw3-3hh2-x2mh
- https://github.com/rack/rack/commit/75c5745c286637a8f049a33790c71237762069e7 Patch
- https://github.com/rack/rack/security/advisories/GHSA-mxw3-3hh2-x2mh Exploit Mitigation Vendor Advisory
Published: 17 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026