CVE-2026-34785: Rack::Static prefix matching can expose unintended files under the static root

April 2, 2026

Rack::Static determines whether a request should be served as a static file using a simple string prefix check. When configured with URL prefixes such as "/css", it matches any request path that begins with that string, including unrelated paths such as "/css-config.env" or "/css-backup.sql".

As a result, files under the static root whose names merely share the configured prefix may be served unintentionally, leading to information disclosure.

References

github.com/advisories/GHSA-h2jq-g4cq-5ppq
github.com/rack/rack
github.com/rack/rack/security/advisories/GHSA-h2jq-g4cq-5ppq
nvd.nist.gov/vuln/detail/CVE-2026-34785

Code Behaviors & Features

Detect and mitigate CVE-2026-34785 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →