CVE-2026-33195
CRITICALActive Storage <8.1.2.1, <8.0.4.1, <7.2.3.1 - Path Traversal
Title source: llmDescription
Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, Active Storage's `DiskService#path_for` does not validate that the resolved filesystem path remains within the storage root directory. If a blob key containing path traversal sequences (e.g. `../`) is used, it could allow reading, writing, or deleting arbitrary files on the server. Blob keys are expected to be trusted strings, but some applications could be passing user input as keys and would be affected. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.
References (7)
Core 7
Core References
Vendor Advisory x_refsource_confirm
https://github.com/rails/rails/security/advisories/GHSA-9xrj-h377-fr87
Patch x_refsource_misc
https://github.com/rails/rails/commit/4933c1e3b8c1bb04925d60347be9f69270392f2c
Patch x_refsource_misc
https://github.com/rails/rails/commit/9b06fbc0f504b8afe333f33d19548f3b85fbe655
Patch x_refsource_misc
https://github.com/rails/rails/commit/a290c8a1ec189d793aa6d7f2570b6a763f675348
Release Notes x_refsource_misc
https://github.com/rails/rails/releases/tag/v7.2.3.1
Release Notes x_refsource_misc
https://github.com/rails/rails/releases/tag/v8.0.4.1
Release Notes x_refsource_misc
https://github.com/rails/rails/releases/tag/v8.1.2.1
Scores
CVSS v3
9.8
EPSS
0.0060
EPSS Percentile
44.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-22
Status
published
Products (7)
rails/activestorage
< 7.2.3.1
rails/activestorage
>= 8.0.0.beta1, < 8.0.4.1
rails/activestorage
>= 8.1.0.beta1, < 8.1.2.1
rubygems/activestorage
0 - 7.2.3.1RubyGems
rubygems/activestorage
8.0.0.beta1 - 8.0.4.1RubyGems
rubygems/activestorage
8.1.0.beta1 - 8.1.2.1RubyGems
rubyonrails/rails
< 7.2.3.1
Published
Mar 24, 2026
Tracked Since
Mar 24, 2026