Rack::Request accepts invalid Host characters, enabling host allowlist bypass — CVE-2026-34835
GitHub · GitHub · CVE-2026-34835
ID
CVE-2026-34835
CVE-2026-34835
Date
Updated
Activity
Source
GitHub
GitHub
Vendor
GitHub
GitHub
Threat
medium
medium
CVSS
4.8
4.8
EPSS
0.00112
0.00112
Summary
## Summary `Rack::Request` parses the `Host` header using an `AUTHORITY` regular expression that accepts characters not permitted in RFC-compliant hostnames, including `/`, `?`, `#`, and `@`. Because `req.host` returns the full parsed value, applications that validate hosts using naive prefix or suffix checks can be bypassed. For example, a check such as `req.host.start_with?("myapp.com")` can be bypassed with…
Product
rubygems: rack
What to do
General, cautious steps (verify details in the official source):
- Review exposure and plan remediation based on risk and environment.
- Identify affected product versions in your inventory and verify whether you are impacted.
- Apply vendor patches/updates or recommended mitigations as soon as available.
- Read the official advisory for exact affected versions and remediation steps.