CVE-2026-7381: Plack::Middleware::XSendfile

CVE-2026-7381: Plack::Middleware::XSendfile Client-Controlled Path Rewriting

A critical severity vulnerability has been disclosed in Plack::Middleware::XSendfile, a widely used Perl/PSGI middleware component for efficiently offloading file serving to a front-end web server. Tracked as CVE-2026-7381 and scoring CVSS 9.1 (Critical), the flaw affects all versions through 1.0053 and allows a remote attacker to control the sendfile variation (type) via the client-supplied X-Sendfile-Type HTTP header — bypassing any server-configured file access controls.

Vulnerability Overview

Attribute	Value
CVE ID	CVE-2026-7381
CVSS Score	9.1 (Critical)
Affected Component	Plack::Middleware::XSendfile
Affected Versions	All versions through 1.0053
Attack Vector	Network — No authentication required
In-the-Wild Exploitation	Not confirmed at time of disclosure
Published	April 29, 2026

Background: X-Sendfile and PSGI Middleware

X-Sendfile is a mechanism used by web frameworks to delegate the actual file transfer to a front-end server (Apache, Nginx, Lighttpd) after the application has performed authentication and authorization checks. The flow is:

1. Application receives request for a protected file
2. Application validates user authorization
3. Application responds with special header (X-Sendfile, X-Accel-Redirect, etc.)
4. Front-end server reads the header and serves the file directly from disk
5. File transfer bypasses the application layer entirely

The variation (sendfile type) determines which header format the middleware sends:

X-Sendfile — used by Apache with mod_xsendfile
X-Accel-Redirect — used by Nginx
X-LIGHTTPD-send-file — used by Lighttpd

In a secure configuration, the sendfile type is set at application startup and cannot be overridden at runtime.

Technical Analysis

The vulnerability in Plack::Middleware::XSendfile versions through 1.0053 is that the middleware reads the X-Sendfile-Type header from the incoming client request and applies it as the variation setting — even when the variation has not been explicitly configured in the middleware constructor.

The Flaw

# Vulnerable pattern in Plack::Middleware::XSendfile (conceptual)
sub call {
    my ($self, $env) = @_;
    
    # Dangerous: variation falls back to client-supplied header
    my $type = $self->{variation} 
            || $env->{'HTTP_X_SENDFILE_TYPE'};  # attacker-controlled
    
    # ... file path rewriting logic using $type
}

When variation is not set in the constructor, the middleware accepts the X-Sendfile-Type header from the client. This allows an attacker to:

Choose the sendfile type — switching from the intended format to one that rewrites paths differently
Trigger path manipulation — since different X-Sendfile variants handle file paths and base directories differently, an attacker-selected variation may cause the middleware to construct file paths outside the intended root
Bypass access controls — files that would not normally be served through the application may become accessible if the server processes the attacker-crafted header

Exploitation Path

1. Attacker identifies a PSGI application running Plack::Middleware::XSendfile
   with no explicit variation configured
 
2. Attacker crafts a request to a file endpoint:
   GET /files/report.pdf HTTP/1.1
   Host: target.example.com
   X-Sendfile-Type: X-Accel-Redirect  (or other variation)
 
3. XSendfile middleware reads the attacker-supplied X-Sendfile-Type
 
4. Middleware applies that variation's path-rewriting logic,
   potentially constructing a file path outside the intended directory
 
5. Front-end server (Nginx/Apache) reads the rewritten path header
   and serves a file from an unintended location

The CVSS 9.1 score reflects a network-accessible attack requiring no authentication, with high confidentiality impact (arbitrary file read potential) and network-level attack complexity.

Affected Deployments

Any Perl/PSGI web application using Plack::Middleware::XSendfile <= 1.0053 is potentially affected if:

The variation option is not explicitly set in the middleware constructor
The application serves files through an X-Sendfile mechanism
A front-end web server (Apache, Nginx, Lighttpd) is configured to process X-Sendfile headers

Applications that explicitly set variation in the constructor during initialization are not vulnerable, as the client-supplied header is ignored in that code path.

Remediation

Primary Fix: Update to a Patched Version

# Update via CPAN
cpan Plack::Middleware::XSendfile
 
# Or via cpanm
cpanm Plack::Middleware::XSendfile
 
# Or via Carton (if using a Cartonfile)
carton install
 
# Verify installed version
perl -MPlack::Middleware::XSendfile -e 'print $Plack::Middleware::XSendfile::VERSION, "\n"'

Immediate Mitigation: Explicitly Configure the Variation

If patching immediately is not possible, explicitly set the variation in the middleware constructor to remove the client-controlled code path:

# Secure configuration — variation is server-side only
builder {
    enable 'XSendfile', variation => 'X-Accel-Redirect';  # Set for Nginx
    # Or 'X-Sendfile' for Apache, 'X-LIGHTTPD-send-file' for Lighttpd
    $app;
};

Network-Level Controls

Strip the X-Sendfile-Type header at the reverse proxy before it reaches the PSGI application:
```
# Nginx — remove client-supplied header
proxy_set_header X-Sendfile-Type "";
```
Restrict X-Sendfile base directories at the front-end server to limit the scope of any path manipulation
Apply WAF rules to block or sanitize the X-Sendfile-Type request header

Detection

Identify Vulnerable Installations

# Check installed version
perl -MPlack::Middleware::XSendfile -e 'print $Plack::Middleware::XSendfile::VERSION, "\n"'
 
# Scan Cartonfile or cpanfile for Plack dependency
grep -r "XSendfile" cpanfile Cartonfile.snapshot
 
# Search application code for XSendfile middleware without variation
grep -rn "XSendfile" lib/ app/ --include="*.pm" --include="*.pl"

Monitor for Exploitation Attempts

# Check access logs for X-Sendfile-Type header in requests
grep -i "X-Sendfile-Type" /var/log/nginx/access.log
grep -i "HTTP_X_SENDFILE_TYPE" /var/log/app/access.log
 
# Look for unusual file paths in X-Accel-Redirect or X-Sendfile response headers
grep "X-Accel-Redirect\|X-Sendfile" /var/log/nginx/access.log | grep "\.\."

Requests containing X-Sendfile-Type in the headers should be treated as suspicious and investigated.

Impact Assessment

Impact Area	Description
Arbitrary File Read	Attacker can rewrite paths to access files outside the intended directory
Authentication Bypass	Files normally gated behind application auth may be served directly
Information Disclosure	Configuration files, credentials, private keys may be exposed
CVSS 9.1	Network-accessible, no authentication, high confidentiality impact
Affected Ecosystem	All Perl/PSGI applications using the middleware without explicit variation

Key Takeaways

CVE-2026-7381 is a CVSS 9.1 Critical flaw in Plack::Middleware::XSendfile (all versions ≤ 1.0053) for Perl
The vulnerability allows the client to set the X-Sendfile-Type header, overriding the server's intended sendfile variation
This enables client-controlled path rewriting, potentially exposing files outside the intended web root
Update to a patched version immediately, or explicitly configure the variation setting in the middleware constructor
Network-level controls (stripping the header at the proxy) can serve as a compensating control while patching is underway

Sources