Medium severity5.3NVD Advisory· Published Apr 2, 2026· Updated Apr 16, 2026

CVE-2026-34230

Description

Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Utils.select_best_encoding processes Accept-Encoding values with quadratic time complexity when the header contains many wildcard (*) entries. Because this method is used by Rack::Deflater to choose a response encoding, an unauthenticated attacker can send a single request with a crafted Accept-Encoding header and cause disproportionate CPU consumption on the compression middleware path. This results in a denial of service condition for applications using Rack::Deflater. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.

Affected products

Rack/Rack
cpe:2.3:a:rack:rack:*:*:*:*:*:ruby:*:*
Range: <2.2.23

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-v569-hp3g-36wrghsaADVISORY
github.com/rack/rack/security/advisories/GHSA-v569-hp3g-36wrnvdVendor Advisory
github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2026-34230.ymlghsa
nvd.nist.gov/vuln/detail/CVE-2026-34230ghsa

News mentions

No linked articles in our index yet.

cvss	0.345
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000