Skip to main content

Red Hat CVE-2026-33202

CRITICAL
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)
2026-03-23 https://github.com/rails/rails
Critical
Disputed · 9.1 NVD
Share

Severity by source

Sources disagree (Medium–Critical)
GitHub Advisory PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
SUSE
CRITICAL
qualitative
Red Hat
6.5 MEDIUM
qualitative

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 23, 2026 - 21:30 vuln.today
Patch released
Mar 23, 2026 - 21:30 nvd
Patch available
CVE Published
Mar 23, 2026 - 21:18 nvd
CRITICAL 9.1

DescriptionGitHub Advisory

Impact

Active Storage's DiskService#delete_prefixed passes blob keys directly to Dir.glob without escaping glob metacharacters. If a blob key contains attacker-controlled input or custom-generated keys with glob metacharacters, it may be possible to delete unintended files from the storage directory.

Releases

The fixed releases are available at the normal locations.

AnalysisAI

Rails Active Storage's DiskService#delete_prefixed method fails to escape glob metacharacters when passing blob keys to Dir.glob, allowing attackers to delete unintended files from the storage directory if blob keys contain attacker-controlled input or custom-generated keys with glob metacharacters. This affects Ruby on Rails versions prior to 7.2.3.1, 8.0.4.1, and 8.1.2.1, and while no CVSS score or EPSS data is currently available, the vulnerability represents a significant integrity and availability risk as it enables arbitrary file deletion on the server filesystem.

Technical ContextAI

The vulnerability exists in Rails Active Storage's DiskService component (affected CPE: pkg:rubygems/activestorage), which is a Ruby gem that provides abstractions for attaching files to Active Record models and storing them on disk. The root cause is classified under CWE-74 (Improper Neutralization of Special Elements in Output, also known as Injection), where user-controlled blob keys are passed directly to the Dir.glob function without proper escaping. The Dir.glob function interprets glob metacharacters such as asterisks, question marks, and brackets as pattern matching operators rather than literal characters. When an attacker supplies a blob key containing these metacharacters, they can craft patterns that match and delete arbitrary files within the storage directory, bypassing intended access controls.

RemediationAI

Upgrade Rails Active Storage to version 7.2.3.1 or later (for the 7.2.x branch), version 8.0.4.1 or later (for the 8.0.x branch), or version 8.1.2.1 or later (for the 8.1.x branch) as detailed in the GitHub advisory at https://github.com/rails/rails/security/advisories/GHSA-73f9-jhhh-hr5m. The fixes have been implemented across multiple commits (https://github.com/rails/rails/commit/8c9676b803820110548cdb7523800db43bc6874c, https://github.com/rails/rails/commit/955284d26e469a9c026a4eee5b21f0414ab0bccf, https://github.com/rails/rails/commit/fa19073546360856e9f4dab221fc2c5d73a45e82) which add proper escaping of glob metacharacters in the delete_prefixed method. Until patching is possible, restrict the generation and acceptance of blob keys to alphanumeric characters and avoid allowing user-supplied input to directly influence blob key generation.

Vendor StatusVendor

SUSE

Severity: Critical
Product Status
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 16.0 Fixed
SUSE Linux Enterprise High Availability Extension 16.1 Fixed

Share

CVE-2026-33202 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy