CVE-2026-33195
CRITICALCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Tags
Description
### Impact Active Storage's `DiskService#path_for` does not validate that the resolved filesystem path remains within the storage root directory. If a blob key containing path traversal sequences (e.g. `../`) is used, it could allow reading, writing, or deleting arbitrary files on the server. Blob keys are expected to be trusted strings, but some applications could be passing user input as keys and would be affected. ### Releases The fixed releases are available at the normal locations.
Analysis
Active Storage's DiskService component in Ruby on Rails contains a path traversal vulnerability (CWE-22) that fails to validate resolved filesystem paths remain within the storage root directory. Applications passing untrusted user input as blob keys are vulnerable to arbitrary file read, write, or deletion operations on the server. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: identify all Rails applications in production and their versions, prioritize those using Active Storage with user input. Within 7 days: apply vendor patches (Rails 7.2.3.1, 8.0.4.1, or 8.1.2.1) or upgrade to patched versions; test thoroughly in staging. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today