{ "document": { "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this portal to enhance access to its information and vulnerabilities. The use of this information is subject to the following terms and conditions:\n\nThe vulnerabilities disclosed in this portal are gathered by NCSC-NL from a variety of open sources, which the user can retrieve from other platforms. NCSC-NL makes every reasonable effort to ensure that the content of this portal is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or real-time keeping up-to-date. NCSC-NL does not control nor guarantee the accuracy, relevance, timeliness or completeness of information obtained from these external sources. The vulnerabilities disclosed in this portal are intended solely for the convenience of professional parties to take appropriate measures to manage the risks posed to the cybersecurity. No rights can be derived from the information provided therein.\n\nNCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of the vulnerabilities disclosed in this portal. This includes damage resulting from the inaccuracy of incompleteness of the information contained in it.\nThe information on this page is subject to Dutch law. All disputes related to or arising from the use of this portal regarding the disclosure of vulnerabilities will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings." } ], "publisher": { "category": "coordinator", "contact_details": "cert@ncsc.nl", "name": "National Cyber Security Centre", "namespace": "https://www.ncsc.nl/" }, "title": "CVE-2026-34835", "tracking": { "current_release_date": "2026-04-03T15:32:40.114952Z", "generator": { "date": "2026-02-17T15:00:00Z", "engine": { "name": "V.E.L.M.A", "version": "1.7" } }, "id": "CVE-2026-34835", "initial_release_date": "2026-04-02T17:38:53.868511Z", "revision_history": [ { "date": "2026-04-02T17:38:53.868511Z", "number": "1", "summary": "CVE created.| Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products connected (2).| References created (1).| CWES updated (1)." }, { "date": "2026-04-02T17:38:56.201572Z", "number": "2", "summary": "NCSC Score created." }, { "date": "2026-04-02T18:27:40.219922Z", "number": "3", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (1).| CWES updated (1)." }, { "date": "2026-04-02T18:27:41.536355Z", "number": "4", "summary": "NCSC Score updated." }, { "date": "2026-04-02T18:47:56.879552Z", "number": "5", "summary": "Unknown change." }, { "date": "2026-04-02T20:52:56.558147Z", "number": "6", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (3).| CWES updated (1)." }, { "date": "2026-04-03T00:44:10.612342Z", "number": "7", "summary": "Source created.| CVE status created. (valid)| Products connected (2)." }, { "date": "2026-04-03T00:44:16.705828Z", "number": "8", "summary": "NCSC Score updated." }, { "date": "2026-04-03T06:45:54.953353Z", "number": "9", "summary": "Description created for source." }, { "date": "2026-04-03T15:30:46.901617Z", "number": "10", "summary": "Source connected.| CVE status created. (valid)| EPSS created." }, { "date": "2026-04-03T15:30:50.010667Z", "number": "11", "summary": "NCSC Score updated." } ], "status": "interim", "version": "11" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/>=3.0.0.beta1|<3.1.21", "product": { "name": "vers:unknown/>=3.0.0.beta1|<3.1.21", "product_id": "CSAFPID-5985094" } }, { "category": "product_version_range", "name": "vers:unknown/>=3.2.0|<3.2.6", "product": { "name": "vers:unknown/>=3.2.0|<3.2.6", "product_id": "CSAFPID-5985095" } } ], "category": "product_name", "name": "rack" } ], "category": "vendor", "name": "rack" }, { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:deb/unknown", "product": { "name": "vers:deb/unknown", "product_id": "CSAFPID-2065710" } } ], "category": "product_name", "name": "ruby-rack" } ], "category": "product_family", "name": "bookworm" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:deb/unknown", "product": { "name": "vers:deb/unknown", "product_id": "CSAFPID-2065711" } } ], "category": "product_name", "name": "ruby-rack" } ], "category": "product_family", "name": "bullseye" } ], "category": "vendor", "name": "Debian" } ] }, "vulnerabilities": [ { "cve": "CVE-2026-34835", "cwe": { "id": "CWE-1286", "name": "Improper Validation of Syntactic Correctness of Input" }, "notes": [ { "category": "description", "text": "Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 to before 3.1.21, and 3.2.0 to before 3.2.6, Rack::Request parses the Host header using an AUTHORITY regular expression that accepts characters not permitted in RFC-compliant hostnames, including /, ?, #, and @. Because req.host returns the full parsed value, applications that validate hosts using naive prefix or suffix checks can be bypassed. This can lead to host header poisoning in applications that use req.host, req.url, or req.base_url for link generation, redirects, or origin validation. This issue has been patched in versions 3.1.21 and 3.2.6.", "title": "cveprojectv5 - https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/34xxx/CVE-2026-34835.json" }, { "category": "description", "text": "Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 to before 3.1.21, and 3.2.0 to before 3.2.6, Rack::Request parses the Host header using an AUTHORITY regular expression that accepts characters not permitted in RFC-compliant hostnames, including /, ?, #, and @. Because req.host returns the full parsed value, applications that validate hosts using naive prefix or suffix checks can be bypassed. This can lead to host header poisoning in applications that use req.host, req.url, or req.base_url for link generation, redirects, or origin validation. This issue has been patched in versions 3.1.21 and 3.2.6.", "title": "nvd - https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-34835" }, { "category": "description", "text": "## Summary\n\n`Rack::Request` parses the `Host` header using an `AUTHORITY` regular expression that accepts characters not permitted in RFC-compliant hostnames, including `/`, `?`, `#`, and `@`. Because `req.host` returns the full parsed value, applications that validate hosts using naive prefix or suffix checks can be bypassed.\n\nFor example, a check such as `req.host.start_with?(\"myapp.com\")` can be bypassed with `Host: myapp.com@evil.com`, and a check such as `req.host.end_with?(\"myapp.com\")` can be bypassed with `Host: evil.com/myapp.com`.\n\nThis can lead to host header poisoning in applications that use `req.host`, `req.url`, or `req.base_url` for link generation, redirects, or origin validation.\n\n## Details\n\n`Rack::Request` parses the authority component using logic equivalent to:\n\n```ruby\nAUTHORITY = /\n \\A\n (?\n \\[(?
#{ipv6})\\]\n |\n (?
[[[:graph:]&&[^\\[\\]]]]*?)\n )\n (:(?\\d+))?\n \\z\n/x\n```\n\nThe character class used for non-IPv6 hosts accepts nearly all printable characters except `[` and `]`. This includes reserved URI delimiters such as `@`, `/`, `?`, and `#`, which are not valid hostname characters under RFC 3986 host syntax.\n\nAs a result, values such as the following are accepted and returned through `req.host`:\n\n```text\nmyapp.com@evil.com\nevil.com/myapp.com\nevil.com#myapp.com\n```\n\nApplications that attempt to allowlist hosts using string prefix or suffix checks may therefore treat attacker-controlled hosts as trusted. For example:\n\n```ruby\nreq.host.start_with?(\"myapp.com\")\n```\n\naccepts:\n\n```text\nmyapp.com@evil.com\n```\n\nand:\n\n```ruby\nreq.host.end_with?(\"myapp.com\")\n```\n\naccepts:\n\n```text\nevil.com/myapp.com\n```\n\nWhen those values are later used to build absolute URLs or enforce origin restrictions, the application may produce attacker-controlled results.\n\n## Impact\n\nApplications that rely on `req.host`, `req.url`, or `req.base_url` may be affected if they perform naive host validation or assume Rack only returns RFC-valid hostnames.\n\nIn affected deployments, an attacker may be able to bypass host allowlists and poison generated links, redirects, or origin-dependent security decisions. This can enable attacks such as password reset link poisoning or other host header injection issues.\n\nThe practical impact depends on application behavior. If the application or reverse proxy already enforces strict host validation, exploitability may be reduced or eliminated.\n\n## Mitigation\n\n* Update to a patched version of Rack that rejects invalid authority characters in `Host`.\n* Enforce strict `Host` header validation at the reverse proxy or load balancer.\n* Do not rely on prefix or suffix string checks such as `start_with?` or `end_with?` for host allowlisting.\n* Use exact host allowlists, or exact subdomain boundary checks, after validating that the host is syntactically valid.", "title": "github - https://api.github.com/advisories/GHSA-g2pf-xv49-m2h5" }, { "category": "description", "text": "Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 to before 3.1.21, and 3.2.0 to before 3.2.6, Rack::Request parses the Host header using an AUTHORITY regular expression that accepts characters not permitted in RFC-compliant hostnames, including /, ?, #, and @. Because req.host returns the full parsed value, applications that validate hosts using naive prefix or suffix checks can be bypassed. This can lead to host header poisoning in applications that use req.host, req.url, or req.base_url for link generation, redirects, or origin validation. This issue has been patched in versions 3.1.21 and 3.2.6.", "title": "debian - https://security-tracker.debian.org/tracker/CVE-2026-34835" }, { "category": "other", "text": "0.00041", "title": "EPSS" }, { "category": "other", "text": "4.0", "title": "NCSC Score" }, { "category": "other", "text": "Is related to (a version of) an uncommon product, There is cwe data available from source Nvd", "title": "NCSC Score top decreasing factors" } ], "product_status": { "known_affected": [ "CSAFPID-5985094", "CSAFPID-5985095", "CSAFPID-2065710", "CSAFPID-2065711" ] }, "references": [ { "category": "external", "summary": "Source - cveprojectv5", "url": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/34xxx/CVE-2026-34835.json" }, { "category": "external", "summary": "Source - nvd", "url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-34835" }, { "category": "external", "summary": "Source - github", "url": "https://api.github.com/advisories/GHSA-g2pf-xv49-m2h5" }, { "category": "external", "summary": "Source - debian", "url": "https://security-tracker.debian.org/tracker/CVE-2026-34835" }, { "category": "external", "summary": "Source - first", "url": "https://api.first.org/data/v1/epss?limit=10000&offset=0" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd", "url": "https://github.com/rack/rack/security/advisories/GHSA-g2pf-xv49-m2h5" }, { "category": "external", "summary": "Reference - github", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34835" }, { "category": "external", "summary": "Reference - github", "url": "https://github.com/advisories/GHSA-g2pf-xv49-m2h5" } ], "scores": [ { "cvss_v3": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "baseScore": 4.8, "baseSeverity": "MEDIUM" }, "products": [ "CSAFPID-2065710", "CSAFPID-2065711", "CSAFPID-5985094", "CSAFPID-5985095" ] } ], "title": "CVE-2026-34835" } ] }