CVE-2026-34835
Publication date 2 April 2026
Last updated 23 April 2026
Ubuntu priority
Description
Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 to before 3.1.21, and 3.2.0 to before 3.2.6, Rack::Request parses the Host header using an AUTHORITY regular expression that accepts characters not permitted in RFC-compliant hostnames, including /, ?, #, and @. Because req.host returns the full parsed value, applications that validate hosts using naive prefix or suffix checks can be bypassed. This can lead to host header poisoning in applications that use req.host, req.url, or req.base_url for link generation, redirects, or origin validation. This issue has been patched in versions 3.1.21 and 3.2.6.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| ruby-rack | 26.04 LTS resolute |
Vulnerable
|
| 25.10 questing |
Fixed 3.1.16-0.1ubuntu0.3
|
|
| 24.04 LTS noble |
Not affected
|
|
| 22.04 LTS jammy |
Not affected
|
|
| 20.04 LTS focal |
Not affected
|
|
| 18.04 LTS bionic |
Not affected
|
|
| 16.04 LTS xenial |
Not affected
|
|
| 14.04 LTS trusty |
Not affected
|
Severity score breakdown
CVSS version: CVSS v3.0
Base score
4.8 · Medium
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
References
Related Ubuntu Security Notices (USN)
- USN-8182-1
- Rack vulnerabilities
- 17 April 2026