UBUNTU-CVE-2026-34835

See a problem?
Please try reporting it to the source first.
Source
https://ubuntu.com/security/CVE-2026-34835
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-34835.json
JSON Data
https://api.osv.dev/v1/vulns/UBUNTU-CVE-2026-34835
Upstream
  • CVE-2026-34835
Downstream
Published
2026-04-02T18:16:00Z
Modified
2026-04-17T10:35:47.770796Z
Severity
  • 4.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
  • Ubuntu - medium
Summary
[none]
Details

Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 to before 3.1.21, and 3.2.0 to before 3.2.6, Rack::Request parses the Host header using an AUTHORITY regular expression that accepts characters not permitted in RFC-compliant hostnames, including /, ?, #, and @. Because req.host returns the full parsed value, applications that validate hosts using naive prefix or suffix checks can be bypassed. This can lead to host header poisoning in applications that use req.host, req.url, or req.base_url for link generation, redirects, or origin validation. This issue has been patched in versions 3.1.21 and 3.2.6.

References

Affected packages

Ubuntu:25.10 / ruby-rack

Package

Name
ruby-rack
Purl
pkg:deb/ubuntu/ruby-rack@3.1.16-0.1ubuntu0.3?arch=source&distro=questing

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*
2.2.7-1.1
3.*
3.1.16-0.1
3.1.16-0.1ubuntu0.1
3.1.16-0.1ubuntu0.2
3.1.16-0.1ubuntu0.3

Ecosystem specific 

{
    "binaries": [
        {
            "binary_version": "3.1.16-0.1ubuntu0.3",
            "binary_name": "ruby-rack"
        }
    ]
}

Database specific

source 
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-34835.json"