Is CVE-2026-32762 actively exploited?

CVE-2026-32762 has no public evidence of in-the-wild exploitation as of 2026-04-21.

What is the CVSS score for CVE-2026-32762?

CVE-2026-32762 has a CVSS score of 4.8 (MEDIUM severity). Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N.

How do I patch CVE-2026-32762?

Patch guidance is available from rack security advisories. CVEDatabase generates AI-assisted remediation guidance on demand for CVE-2026-32762.

Which products are affected by CVE-2026-32762?

2 products: rack rack, rack rack.

CVE-2026-32762 - remediation guidance & executive summary

Description

Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 to before 3.1.21 and 3.2.0 to before 3.2.6, Rack::Utils.forwarded_values parses the RFC 7239 Forwarded header by splitting on semicolons before handling quoted-string values. Because quoted values may legally contain semicolons, a header can be interpreted by Rack as multiple Forwarded directives rather than as a single quoted for value. In deployments where an upstream proxy, WAF, or intermediary validates or preserves quoted Forwarded values differently, this discrepancy can allow an attacker to smuggle host, proto, for, or by parameters through a single header value. This issue has been patched in versions 3.1.21 and 3.2.6.

CVSS Metrics

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector: network
Complexity: high
Privileges: none
User Action: none
Scope: unchanged
Confidentiality: low
Integrity: low
Availability: none
Weaknesses: CWE-436

Metadata

Primary Vendor: RACK
Published: 4/2/2026
Last Modified: 4/21/2026
Source: NIST NVD
Note: Verify all details with official vendor sources before applying patches.

Affected Products

rack : rackrack : rack

Remediation Guidance

Executive Summary

Cite this page

CVE-2026-32762. CVEDatabase.com. Retrieved 1 May 2026. https://cvedatabase.com/cve/CVE-2026-32762

View on NIST NVD

CVE-2026-32762 vulnerability