CVE-2026-33195

Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, Active Storage's `DiskService#path_for` does not validate that the resolved filesystem path remains within the storage root directory. If a blob key containing path traversal sequences (e.g. `../`) is used, it could allow reading, writing, or deleting arbitrary files on the server. Blob keys are expected to be trusted strings, but some applications could be passing user input as keys and would be affected. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/rails/rails/commit/4933c1e3b8c1bb04925d60347be9f69270392f2c	Patch
https://github.com/rails/rails/commit/9b06fbc0f504b8afe333f33d19548f3b85fbe655	Patch
https://github.com/rails/rails/commit/a290c8a1ec189d793aa6d7f2570b6a763f675348	Patch
https://github.com/rails/rails/releases/tag/v7.2.3.1	Release Notes
https://github.com/rails/rails/releases/tag/v8.0.4.1	Release Notes
https://github.com/rails/rails/releases/tag/v8.1.2.1	Release Notes
https://github.com/rails/rails/security/advisories/GHSA-9xrj-h377-fr87	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:rubyonrails:rails::::::::
	cpe:2.3:a:rubyonrails:rails::::::::
	cpe:2.3:a:rubyonrails:rails::::::::

History

24 Mar 2026, 17:55

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.8
CPE		cpe:2.3:a:rubyonrails:rails::::::::
References	~~() https://github.com/rails/rails/commit/4933c1e3b8c1bb04925d60347be9f69270392f2c -~~	() https://github.com/rails/rails/commit/4933c1e3b8c1bb04925d60347be9f69270392f2c - Patch
References	~~() https://github.com/rails/rails/commit/9b06fbc0f504b8afe333f33d19548f3b85fbe655 -~~	() https://github.com/rails/rails/commit/9b06fbc0f504b8afe333f33d19548f3b85fbe655 - Patch
References	~~() https://github.com/rails/rails/commit/a290c8a1ec189d793aa6d7f2570b6a763f675348 -~~	() https://github.com/rails/rails/commit/a290c8a1ec189d793aa6d7f2570b6a763f675348 - Patch
References	~~() https://github.com/rails/rails/releases/tag/v7.2.3.1 -~~	() https://github.com/rails/rails/releases/tag/v7.2.3.1 - Release Notes
References	~~() https://github.com/rails/rails/releases/tag/v8.0.4.1 -~~	() https://github.com/rails/rails/releases/tag/v8.0.4.1 - Release Notes
References	~~() https://github.com/rails/rails/releases/tag/v8.1.2.1 -~~	() https://github.com/rails/rails/releases/tag/v8.1.2.1 - Release Notes
References	~~() https://github.com/rails/rails/security/advisories/GHSA-9xrj-h377-fr87 -~~	() https://github.com/rails/rails/security/advisories/GHSA-9xrj-h377-fr87 - Vendor Advisory
First Time		Rubyonrails Rubyonrails rails
Summary		(es) Active Storage permite a los usuarios adjuntar archivos locales y en la nube en aplicaciones Rails. Antes de las versiones 8.1.2.1, 8.0.4.1 y 7.2.3.1, 'DiskService#path_for' de Active Storage no valida que la ruta del sistema de archivos resuelta permanezca dentro del directorio raíz de almacenamiento. Si se utiliza una clave de blob que contiene secuencias de salto de ruta (por ejemplo, '../'), podría permitir la lectura, escritura o eliminación de archivos arbitrarios en el servidor. Se espera que las claves de blob sean cadenas de confianza, pero algunas aplicaciones podrían estar pasando entradas de usuario como claves y se verían afectadas. Las versiones 8.1.2.1, 8.0.4.1 y 7.2.3.1 contienen un parche.

24 Mar 2026, 00:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-24 00:16

Updated : 2026-03-24 17:55

NVD link : CVE-2026-33195

Mitre link : CVE-2026-33195

CVE.ORG link : CVE-2026-33195

JSON object : View

Products Affected

rubyonrails

rails

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

9.8 /10