CVE-2026-22860

HIGH

Rack <2.2.22/3.1.20/3.2.5 - Path Traversal

Title source: llm

Description

Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5, `Rack::Directory`’s path check used a string prefix match on the expanded path. A request like `/../root_example/` can escape the configured root if the target path starts with the root string, allowing directory listing outside the intended root. Versions 2.2.22, 3.1.20, and 3.2.5 fix the issue.

References (2)

[Patch] https://github.com/rack/rack/commit/75c5745c286637a8f049a33790c71237762069e7

View Patch ZIP pw:eip

[Vendor Advisory] https://github.com/rack/rack/security/advisories/GHSA-mxw3-3hh2-x2mh

Scores

CVSS v3 7.5

EPSS 0.0007

EPSS Percentile 20.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Classification

CWE

CWE-548 CWE-22

Status published

Affected Products (2)

rubygems/rack < 2.2.22RubyGems

rack/rack < 2.2.22

Timeline

Published Feb 18, 2026

Tracked Since Feb 18, 2026