Is CVE-2026-26962 actively exploited?

CVE-2026-26962 has no public evidence of in-the-wild exploitation as of 2026-04-21.

What is the CVSS score for CVE-2026-26962?

CVE-2026-26962 has a CVSS score of 4.8 (MEDIUM severity). Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N.

How do I patch CVE-2026-26962?

Patch guidance is available from rack security advisories. CVEDatabase generates AI-assisted remediation guidance on demand for CVE-2026-26962.

CVE-2026-26962 - remediation guidance & executive summary

Description

Rack is a modular Ruby web server interface. From version 3.2.0 to before version 3.2.6, Rack::Multipart::Parser unfolds folded multipart part headers incorrectly. When a multipart header contains an obs-fold sequence, Rack preserves the embedded CRLF in parsed parameter values such as filename or name instead of removing the folded line break during unfolding. As a result, applications that later reuse those parsed values in HTTP response headers may be vulnerable to downstream header injection or response splitting. This issue has been patched in version 3.2.6.

CVSS Metrics

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector: network
Complexity: high
Privileges: none
User Action: none
Scope: unchanged
Confidentiality: low
Integrity: low
Availability: none
Weaknesses: CWE-93

Metadata

Primary Vendor: RACK
Published: 4/2/2026
Last Modified: 4/21/2026
Source: NIST NVD
Note: Verify all details with official vendor sources before applying patches.

CVE-2026-26962

Description

CVSS Metrics

Metadata

Affected Products

Remediation Guidance

Executive Summary