DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-33195: CVE-2026-33195: Path Traversal Vulnerability in Ruby on Rails Active Storage DiskService

#security #cve #cybersecurity

CVE-2026-33195: Path Traversal Vulnerability in Ruby on Rails Active Storage DiskService

Vulnerability ID: CVE-2026-33195
CVSS Score: 8.0
Published: 2026-03-23

Ruby on Rails Active Storage contains a path traversal vulnerability in the DiskService component. Applications allowing user-controllable keys expose arbitrary file read, write, and deletion capabilities to unauthenticated attackers due to inadequate path sanitization.

TL;DR

A path traversal flaw in Rails Active Storage (CVSS 8.0) allows attackers to read or write arbitrary system files if the application permits user-defined blob keys. Patches are available in versions 7.2.3.1, 8.0.4.1, and 8.1.2.1.

Technical Details

  • CWE ID: CWE-22
  • Attack Vector: Network
  • CVSS Score: 8.0
  • Impact: Arbitrary File Read/Write/Delete
  • Exploit Status: Unweaponized
  • KEV Status: Not Listed

Affected Systems

  • Ruby on Rails (Active Storage component)
  • Systems utilizing DiskService for local file storage
  • activestorage: < 7.2.3.1 (Fixed in: 7.2.3.1)
  • activestorage: >= 8.0.0.beta1, < 8.0.4.1 (Fixed in: 8.0.4.1)
  • activestorage: >= 8.1.0.beta1, < 8.1.2.1 (Fixed in: 8.1.2.1)

Code Analysis

Commit: 4933c1e

Fix Commit (v7.2)

Commit: a290c8a

Fix Commit (v8.0)

Commit: 9b06fbc

Fix Commit (v8.1)

Mitigation Strategies

  • Upgrade the activestorage gem to a patched version (7.2.3.1, 8.0.4.1, or 8.1.2.1).
  • Implement application-level input validation on custom endpoints that allow user-defined blob keys.
  • Audit custom ActiveStorage::Service implementations for similar path resolution vulnerabilities.

Remediation Steps:

  1. Identify all applications utilizing the activestorage gem.
  2. Determine if the application configuration uses DiskService for local storage.
  3. Update the Gemfile to require a patched version of Rails/activestorage.
  4. Run bundle update activestorage to apply the patch.
  5. Deploy the updated application to production environments.

References

Read the full report for CVE-2026-33195 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)