CVE-2026-34786: Rack:: Static header_rules bypass via URL-encoded paths

April 2, 2026

Rack::Static#applicable_rules evaluates several header_rules types against the raw URL-encoded PATH_INFO, while the underlying file-serving path is decoded before the file is served. As a result, a request for a URL-encoded variant of a static path can serve the same file without the headers that header_rules were intended to apply.

In deployments that rely on Rack::Static to attach security-relevant response headers to static content, this can allow an attacker to bypass those headers by requesting an encoded form of the path.

References

github.com/advisories/GHSA-q4qf-9j86-f5mh
github.com/rack/rack
github.com/rack/rack/security/advisories/GHSA-q4qf-9j86-f5mh
nvd.nist.gov/vuln/detail/CVE-2026-34786

Code Behaviors & Features

Detect and mitigate CVE-2026-34786 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →