CVE-2026-34060

Ruby LSP is an implementation of the language server protocol for Ruby. Prior to Shopify.ruby-lsp version 0.10.2 and ruby-lsp version 0.26.9, the rubyLsp.branch VS Code workspace setting was interpolated without sanitization into a generated Gemfile, allowing arbitrary Ruby code execution when a user opens a project containing a malicious .vscode/settings.json. This issue has been patched in Shopify.ruby-lsp version 0.10.2 and ruby-lsp version 0.26.9.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/Shopify/ruby-lsp/releases/tag/v0.26.9	Release Notes
https://github.com/Shopify/ruby-lsp/security/advisories/GHSA-c4r5-fxqw-vh93	Vendor Advisory Mitigation

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:shopify:ruby_lsp::::::visual_studio_code::*
	cpe:2.3:a:shopify:ruby_lsp::::::ruby::*

History

03 Jun 2026, 01:18

Type	Values Removed	Values Added
First Time		Shopify Shopify ruby Lsp
CPE		cpe:2.3:a:shopify:ruby_lsp::::::ruby::* cpe:2.3:a:shopify:ruby_lsp::::::visual_studio_code::*
References	~~() https://github.com/Shopify/ruby-lsp/releases/tag/v0.26.9 -~~	() https://github.com/Shopify/ruby-lsp/releases/tag/v0.26.9 - Release Notes
References	~~() https://github.com/Shopify/ruby-lsp/security/advisories/GHSA-c4r5-fxqw-vh93 -~~	() https://github.com/Shopify/ruby-lsp/security/advisories/GHSA-c4r5-fxqw-vh93 - Vendor Advisory, Mitigation

02 Apr 2026, 15:16

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.8

01 Apr 2026, 14:24

Type	Values Removed	Values Added
Summary		(es) Ruby LSP es una implementación del protocolo del servidor de lenguaje para Ruby. Antes de Shopify.ruby-lsp versión 0.10.2 y ruby-lsp versión 0.26.9, la configuración del espacio de trabajo de VS Code rubyLsp.branch se interpolaba sin sanitización en un Gemfile generado, permitiendo la ejecución arbitraria de código Ruby cuando un usuario abre un proyecto que contiene un archivo .vscode/settings.json malicioso. Este problema ha sido parcheado en Shopify.ruby-lsp versión 0.10.2 y ruby-lsp versión 0.26.9.

31 Mar 2026, 03:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-31 03:15

Updated : 2026-06-03 01:18

NVD link : CVE-2026-34060

Mitre link : CVE-2026-34060

CVE.ORG link : CVE-2026-34060

JSON object : View

Products Affected

shopify

ruby_lsp

CWE

CWE-94

Improper Control of Generation of Code ('Code Injection')

9.8 /10