Skip to main content

Red Hat CVE-2026-33173

MEDIUM
Improper Verification of Intent by Broadcast Receiver (CWE-925)
2026-03-23 https://github.com/rails/rails
5.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
SUSE
MEDIUM
qualitative
Red Hat
7.6 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

3
Analysis Generated
Mar 23, 2026 - 21:00 vuln.today
Patch released
Mar 23, 2026 - 21:00 nvd
Patch available
CVE Published
Mar 23, 2026 - 20:54 nvd
MEDIUM 5.3

DescriptionGitHub Advisory

Impact

Active Storage's DirectUploadsController accepts arbitrary metadata from the client and persists it on the blob. Because internal flags like identified and analyzed are stored in the same metadata hash, a malicious direct-upload client could set these flags.

Releases

The fixed releases are available at the normal locations.

AnalysisAI

Rails Active Storage's DirectUploadsController accepts and persists arbitrary client-supplied metadata on blob objects, allowing attackers to manipulate internal flags like 'identified' and 'analyzed' that should only be set by the server. This affects Ruby on Rails versions across multiple release branches (7.2.x, 8.0.x, and 8.1.x prior to the patched versions 7.2.3.1, 8.0.4.1, and 8.1.2.1), and while not currently listed in the KEV catalog, patches are available from the vendor indicating acknowledgment of the issue's validity.

Technical ContextAI

Rails Active Storage (CPE: pkg:rubygems/activestorage) is Ruby on Rails' built-in framework for handling file uploads and storage integration. The vulnerability stems from CWE-925 (Improper Verification of Source Ownership), wherein the DirectUploadsController accepts metadata from untrusted client sources without proper validation or sanitization. The blob metadata hash is used to store both user-supplied information and critical internal state flags (identified, analyzed) that control downstream processing behavior. By accepting arbitrary metadata in direct uploads, the controller conflates user data with system state, allowing clients to forge internal flags that the application assumes can only be set through proper server-side processing pipelines.

RemediationAI

Immediately upgrade Rails to patched versions: 7.2.3.1 or later, 8.0.4.1 or later, or 8.1.2.1 or later, as appropriate for your deployed version. The patches are available via standard RubyGems channels and GitHub releases (see https://github.com/rails/rails/releases). Until patching is completed, restrict access to the DirectUploadsController to authenticated users only via application-level authorization checks, and consider disabling direct uploads entirely if not essential to your application workflow. Review any custom metadata handling code that may interact with blob metadata to ensure it does not assume server-side control of the 'identified' or 'analyzed' flags. The committed fixes (available at the GitHub commit hashes provided in the advisory) implement proper server-side validation to prevent client-supplied metadata from overwriting reserved internal flags.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 16.0 Fixed
SUSE Linux Enterprise High Availability Extension 16.1 Fixed

Share

CVE-2026-33173 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy