EUVD-2026-18423

🗓️ 02 Apr 2026 20:31:52Reported by EUVDType

Rack parsing of the Forwarded header can split on semicolons, enabling smuggling; fixed in 3.1.21 and 3.2.6.

Reporter	Title	Published	Views	Family All 41
ATTACKERKB	CVE-2026-32762	2 Apr 202617:06	–	attackerkb
IBM Security Bulletins	Security Bulletin: Multiple vulnerabilities in IBM Aspera Console	16 Apr 202622:21	–	ibm
Chainguard	CVE-2026-32762 vulnerabilities	6 Apr 202601:18	–	cgr
CNNVD	Rack 安全漏洞	2 Apr 202600:00	–	cnnvd
CVE	CVE-2026-32762	2 Apr 202617:06	–	cve
Cvelist	CVE-2026-32762 Rack: Forwarded Header semicolon injection enables Host and Scheme spoofing	2 Apr 202617:06	–	cvelist
Debian CVE	CVE-2026-32762	2 Apr 202617:06	–	debiancve
Github Security Blog	Rack: Forwarded Header semicolon injection enables Host and Scheme spoofing	2 Apr 202620:31	–	github
NVD	CVE-2026-32762	2 Apr 202618:16	–	nvd
OSV	CGA-39JG-9VR8-XM6F	6 Apr 202600:30	–	osv

[
  {
    "enisaIdVendor": [
      {
        "id": "8d7ce2c5-36ea-3dc6-a8fe-a4153925681b",
        "vendor": {
          "name": "rack"
        }
      }
    ],
    "enisaIdProduct": [
      {
        "id": "3ba3c085-4680-31a4-b72f-09acf3544ce6",
        "product": {
          "name": "rack"
        },
        "product_version": "3.2.0, < 3.2.6"
      },
      {
        "id": "adbd6bcb-9676-3ab6-bdf8-39c963844a7e",
        "product": {
          "name": "rack"
        },
        "product_version": "3.0.0.beta1, < 3.1.21"
      }
    ]
  }
]

Source	Link
github	www.github.com/rack/rack/security/advisories/GHSA-qfgr-crr9-7r49
nvd	www.nvd.nist.gov/vuln/detail/CVE-2026-32762

02 Apr 2026 20:31Current

5.8Medium risk

Vulners AI Score5.8

CVSS 3.14.8

EPSS0.00048

SSVC