CVE Catalog
CVE-2026-38969
Low risk· EPSS 6%Exploitation Probability (EPSS)
Low risk0.16%
6th percentile — higher than 6% of all known CVEs
Summary
A vulnerability in the Ruby WEBrick library (up to version 1.9.2) re-parses the trailer Content-Length header into the canonical request state, enabling request smuggling attacks.
Risk Assessment
An attacker can exploit this flaw to smuggle malicious HTTP requests, potentially bypassing security controls, hijacking sessions, or attacking other applications behind a proxy.
Recommendation
Immediately update the WEBrick library to version 1.9.3 or later, which includes a fix for this vulnerability.
Original NVD description (English source)
ruby webrick through v1.9.2 WEBrick reparses trailer Content-Length into canonical request state, enabling request smuggling.

