Vulnerability Description
Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, Active Storage's `DiskService#path_for` does not validate that the resolved filesystem path remains within the storage root directory. If a blob key containing path traversal sequences (e.g. `../`) is used, it could allow reading, writing, or deleting arbitrary files on the server. Blob keys are expected to be trusted strings, but some applications could be passing user input as keys and would be affected. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Rubyonrails | Rails | < 7.2.3.1 |
Related Weaknesses (CWE)
References
- https://github.com/rails/rails/commit/4933c1e3b8c1bb04925d60347be9f69270392f2cPatch
- https://github.com/rails/rails/commit/9b06fbc0f504b8afe333f33d19548f3b85fbe655Patch
- https://github.com/rails/rails/commit/a290c8a1ec189d793aa6d7f2570b6a763f675348Patch
- https://github.com/rails/rails/releases/tag/v7.2.3.1Release Notes
- https://github.com/rails/rails/releases/tag/v8.0.4.1Release Notes
- https://github.com/rails/rails/releases/tag/v8.1.2.1Release Notes
- https://github.com/rails/rails/security/advisories/GHSA-9xrj-h377-fr87Vendor Advisory
FAQ
What is CVE-2026-33195?
CVE-2026-33195 is a vulnerability with a CVSS score of 9.8 (CRITICAL). Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, Active Storage's `DiskService#path_for` does not validate that the r...
How severe is CVE-2026-33195?
CVE-2026-33195 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2026-33195?
Check the references section above for vendor advisories and patch information. Affected products include: Rubyonrails Rails.