High severityNVD Advisory· Published Feb 18, 2026· Updated Feb 18, 2026

Rack has a Directory Traversal via Rack:Directory

CVE-2026-22860

Description

Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5, Rack::Directory’s path check used a string prefix match on the expanded path. A request like /../root_example/ can escape the configured root if the target path starts with the root string, allowing directory listing outside the intended root. Versions 2.2.22, 3.1.20, and 3.2.5 fix the issue.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
rackRubyGems	< 2.2.22	2.2.22
rackRubyGems	>= 3.0.0.beta1, < 3.1.20	3.1.20
rackRubyGems	>= 3.2.0, < 3.2.5	3.2.5

Affected products

Rack/Rackv5
Range: < 2.2.22

Patches

75c5745c2866

Prevent directory traversal via root prefix bypass.

https://github.com/rack/rackMasamuneFeb 16, 2026via ghsa

commit

3 files changed · +20 −1

CHANGELOG.md+1 −0 modified

@@ -9,6 +9,7 @@ All notable changes to this project will be documented in this file. For info on
 - [CVE-2025-61780](https://github.com/advisories/GHSA-r657-rxjc-j557) Improper handling of headers in `Rack::Sendfile` may allow proxy bypass.
 - [CVE-2025-61919](https://github.com/advisories/GHSA-6xw4-3v39-52mm) Unbounded read in `Rack::Request` form parsing can lead to memory exhaustion.
 - [CVE-2026-25500](https://github.com/advisories/GHSA-whrj-4476-wvmp) XSS injection via malicious filename in `Rack::Directory`.
+- [CVE-2026-22860](https://github.com/advisories/GHSA-mxw3-3hh2-x2mh) Directory traversal via root prefix bypass in `Rack::Directory`.
 
 ### SPEC Changes

lib/rack/directory.rb+4 −1 modified

@@ -87,6 +87,7 @@ def DIR_FILE_escape(htmls)
     # Set the root directory and application for serving files.
     def initialize(root, app = nil)
       @root = ::File.expand_path(root)
+      @root_with_separator = @root.end_with?(::File::SEPARATOR) ? @root : "#{@root}#{::File::SEPARATOR}"
       @app = app || Files.new(@root)
       @head = Head.new(method(:get))
     end
@@ -123,7 +124,9 @@ def check_bad_request(path_info)
     # Rack response to use for requests with paths outside the root, or nil if path is inside the root.
     def check_forbidden(path_info)
       return unless path_info.include? ".."
-      return if ::File.expand_path(::File.join(@root, path_info)).start_with?(@root)
+
+      expanded_path = ::File.expand_path(::File.join(@root, path_info))
+      return if expanded_path == @root || expanded_path.start_with?(@root_with_separator)
 
       body = "Forbidden\n"
       [403, { CONTENT_TYPE => "text/plain",

test/spec_directory.rb+15 −0 modified

@@ -149,6 +149,21 @@ def setup
     res.must_be :forbidden?
   end
 
+  it "not allow directory traversal via root prefix bypass" do
+    Dir.mktmpdir do |dir|
+      root = File.join(dir, "root")
+      outside = "#{root}_test"
+      FileUtils.mkdir_p(root)
+      FileUtils.mkdir_p(outside)
+      FileUtils.touch(File.join(outside, "test.txt"))
+
+      app = Rack::Directory.new(root)
+      res = Rack::MockRequest.new(app).get("/../#{File.basename(outside)}/")
+
+      res.must_be :forbidden?
+    end
+  end
+
   it "not allow dir globs" do
     Dir.mktmpdir do |dir|
       weirds = "uploads/.?/.?"

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-mxw3-3hh2-x2mhghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-22860ghsaADVISORY
github.com/rack/rack/commit/75c5745c286637a8f049a33790c71237762069e7ghsax_refsource_MISCWEB
github.com/rack/rack/security/advisories/GHSA-mxw3-3hh2-x2mhghsax_refsource_CONFIRMWEB
github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2026-22860.ymlghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000