CVE-2026-33202

Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, Active Storage's `DiskService#delete_prefixed` passes blob keys directly to `Dir.glob` without escaping glob metacharacters. If a blob key contains attacker-controlled input or custom-generated keys with glob metacharacters, it may be possible to delete unintended files from the storage directory. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.

CVSS v3 9.1 CRITICAL

9.1^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/rails/rails/commit/8c9676b803820110548cdb7523800db43bc6874c	Patch
https://github.com/rails/rails/commit/955284d26e469a9c026a4eee5b21f0414ab0bccf	Patch
https://github.com/rails/rails/commit/fa19073546360856e9f4dab221fc2c5d73a45e82	Patch
https://github.com/rails/rails/releases/tag/v7.2.3.1	Release Notes
https://github.com/rails/rails/releases/tag/v8.0.4.1	Release Notes
https://github.com/rails/rails/releases/tag/v8.1.2.1	Release Notes
https://github.com/rails/rails/security/advisories/GHSA-73f9-jhhh-hr5m	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:rubyonrails:rails::::::::
	cpe:2.3:a:rubyonrails:rails::::::::
	cpe:2.3:a:rubyonrails:rails::::::::

History

24 Mar 2026, 17:55

Type	Values Removed	Values Added
Summary		(es) Active Storage permite a los usuarios adjuntar archivos locales y en la nube en aplicaciones Rails. Antes de las versiones 8.1.2.1, 8.0.4.1 y 7.2.3.1, el 'DiskService#delete_prefixed' de Active Storage pasa las claves de blob directamente a 'Dir.glob' sin escapar los metacaracteres glob. Si una clave de blob contiene entrada controlada por el atacante o claves generadas a medida con metacaracteres glob, puede ser posible eliminar archivos no deseados del directorio de almacenamiento. Las versiones 8.1.2.1, 8.0.4.1 y 7.2.3.1 contienen un parche.
References	~~() https://github.com/rails/rails/commit/8c9676b803820110548cdb7523800db43bc6874c -~~	() https://github.com/rails/rails/commit/8c9676b803820110548cdb7523800db43bc6874c - Patch
References	~~() https://github.com/rails/rails/commit/955284d26e469a9c026a4eee5b21f0414ab0bccf -~~	() https://github.com/rails/rails/commit/955284d26e469a9c026a4eee5b21f0414ab0bccf - Patch
References	~~() https://github.com/rails/rails/commit/fa19073546360856e9f4dab221fc2c5d73a45e82 -~~	() https://github.com/rails/rails/commit/fa19073546360856e9f4dab221fc2c5d73a45e82 - Patch
References	~~() https://github.com/rails/rails/releases/tag/v7.2.3.1 -~~	() https://github.com/rails/rails/releases/tag/v7.2.3.1 - Release Notes
References	~~() https://github.com/rails/rails/releases/tag/v8.0.4.1 -~~	() https://github.com/rails/rails/releases/tag/v8.0.4.1 - Release Notes
References	~~() https://github.com/rails/rails/releases/tag/v8.1.2.1 -~~	() https://github.com/rails/rails/releases/tag/v8.1.2.1 - Release Notes
References	~~() https://github.com/rails/rails/security/advisories/GHSA-73f9-jhhh-hr5m -~~	() https://github.com/rails/rails/security/advisories/GHSA-73f9-jhhh-hr5m - Vendor Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.1
CPE		cpe:2.3:a:rubyonrails:rails::::::::
First Time		Rubyonrails Rubyonrails rails

24 Mar 2026, 00:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-24 00:16

Updated : 2026-03-24 17:55

NVD link : CVE-2026-33202

Mitre link : CVE-2026-33202

CVE.ORG link : CVE-2026-33202

JSON object : View

Products Affected

rubyonrails

rails

CWE

CWE-74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

9.1 /10