Skip to main content

CVE-2026-33195

HIGH
Path Traversal (CWE-22)
2026-03-23 https://github.com/rails/rails GHSA-9xrj-h377-fr87
8.0
CVSS 4.0 · Vendor: https://github.com/rails/rails
Share

Severity by source

Vendor (https://github.com/rails/rails) PRIMARY
8.0 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Red Hat
8.1 HIGH
qualitative

Primary rating from Vendor (https://github.com/rails/rails).

CVSS VectorVendor: https://github.com/rails/rails

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
Severity Changed
Jun 30, 2026 - 03:24 NVD
CRITICAL HIGH
CVSS changed
Jun 30, 2026 - 03:24 NVD
9.8 (CRITICAL) 8.0 (HIGH)
Analysis Generated
Mar 23, 2026 - 21:30 vuln.today
Patch released
Mar 23, 2026 - 21:30 nvd
Patch available
CVE Published
Mar 23, 2026 - 21:17 nvd
CRITICAL 9.8

DescriptionCVE.org

Impact

Active Storage's DiskService#path_for does not validate that the resolved filesystem path remains within the storage root directory. If a blob key containing path traversal sequences (e.g. ../) is used, it could allow reading, writing, or deleting arbitrary files on the server. Blob keys are expected to be trusted strings, but some applications could be passing user input as keys and would be affected.

Releases

The fixed releases are available at the normal locations.

AnalysisAI

Active Storage's DiskService component in Ruby on Rails contains a path traversal vulnerability (CWE-22) that fails to validate resolved filesystem paths remain within the storage root directory. Applications passing untrusted user input as blob keys are vulnerable to arbitrary file read, write, or deletion operations on the server. Patches are available in Rails versions 7.2.3.1, 8.0.4.1, and 8.1.2.1, with no current evidence of active exploitation or public proof-of-concept code.

Technical ContextAI

This vulnerability affects the Active Storage component (pkg:rubygems/activestorage) in Ruby on Rails, specifically the DiskService#path_for method responsible for resolving blob storage paths on local filesystems. The root cause is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), commonly known as path traversal. When blob keys containing directory traversal sequences like '../' are processed, the method fails to sanitize or validate that the computed path remains within the designated storage root, allowing filesystem access outside intended boundaries. Active Storage is Rails' framework for uploading files to cloud services or local disk storage, and the blob key is typically a trusted identifier generated by the framework, though some applications may inadvertently expose this parameter to user-controlled input.

RemediationAI

Upgrade Ruby on Rails to version 7.2.3.1, 8.0.4.1, or 8.1.2.1 depending on your current release series. Official patched releases are available at https://github.com/rails/rails/releases/tag/v7.2.3.1, https://github.com/rails/rails/releases/tag/v8.0.4.1, and https://github.com/rails/rails/releases/tag/v8.1.2.1. The fixes are implemented in commits 4933c1e3b8c1bb04925d60347be9f69270392f2c, 9b06fbc0f504b8afe333f33d19548f3b85fbe655, and a290c8a1ec189d793aa6d7f2570b6a763f675348. Until patching is completed, immediately audit application code to ensure blob keys are never derived from user input and implement strict input validation on any parameters that could influence file storage paths. Consider temporarily switching to cloud storage services if DiskService cannot be secured immediately, as cloud providers typically implement their own path validation.

Vendor StatusVendor

SUSE

Severity: Critical
Product Status
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 16.0 Fixed
SUSE Linux Enterprise High Availability Extension 16.1 Fixed

Share

CVE-2026-33195 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy