DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-33202: CVE-2026-33202: Glob Injection and Arbitrary File Deletion in Rails Active Storage

#security #cve #cybersecurity

CVE-2026-33202: Glob Injection and Arbitrary File Deletion in Rails Active Storage

Vulnerability ID: CVE-2026-33202
CVSS Score: 6.6
Published: 2026-03-23

CVE-2026-33202 is a Medium severity vulnerability in the Ruby on Rails Active Storage component (DiskService). It permits attackers to perform glob injection attacks due to improper neutralization of metacharacters, potentially leading to unauthorized deletion of arbitrary files within the storage directory.

TL;DR

A glob injection vulnerability in Rails Active Storage DiskService allows attackers who can control file prefixes to delete arbitrary files within the storage root directory.

Technical Details

  • CWE ID: CWE-74 (Glob Injection)
  • Attack Vector: Network
  • CVSS v4.0 Score: 6.6 (Medium)
  • Primary Impact: Arbitrary File Deletion (High Integrity Loss)
  • Exploit Status: Unproven / No Active Exploitation
  • CISA KEV: Not Listed

Affected Systems

  • Ruby on Rails
  • Active Storage
  • DiskService
  • Active Storage (Rails): >= 8.1.0.beta1, < 8.1.2.1 (Fixed in: 8.1.2.1)
  • Active Storage (Rails): >= 8.0.0.beta1, < 8.0.4.1 (Fixed in: 8.0.4.1)
  • Active Storage (Rails): < 7.2.3.1 (Fixed in: 7.2.3.1)

Code Analysis

Commit: 8c9676b

Primary fix implementing escape_glob_metacharacters in DiskService

Commit: 955284d

Additional patch adjustments for path resolution

Commit: fa19073

Test cases and minor adjustments for DiskService fix

Mitigation Strategies

  • Upgrade the activestorage RubyGem to the latest patch release provided by the vendor.
  • Implement strict input validation on all user-controlled data that influences Active Storage blob keys or prefixes.
  • Enforce an alphanumeric allowlist for file keys to preemptively reject glob metacharacters.

Remediation Steps:

  1. Identify the current version of the Rails framework and activestorage gem used in the application.
  2. Update the Gemfile to require a patched version (8.1.2.1, 8.0.4.1, or 7.2.3.1).
  3. Run bundle update activestorage to apply the update.
  4. Execute the application test suite to ensure the path resolution changes do not break existing file management workflows.
  5. Deploy the updated application to production environments.

References

Read the full report for CVE-2026-33202 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)