CVE-2026-34060
CRITICALRuby LSP has arbitrary code execution through branch setting
Title source: cnaDescription
Ruby LSP is an implementation of the language server protocol for Ruby. Prior to Shopify.ruby-lsp version 0.10.2 and ruby-lsp version 0.26.9, the rubyLsp.branch VS Code workspace setting was interpolated without sanitization into a generated Gemfile, allowing arbitrary Ruby code execution when a user opens a project containing a malicious .vscode/settings.json. This issue has been patched in Shopify.ruby-lsp version 0.10.2 and ruby-lsp version 0.26.9.
References (2)
Core 2
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/Shopify/ruby-lsp/security/advisories/GHSA-c4r5-fxqw-vh93
X_Refsource_Misc x_refsource_misc
https://github.com/Shopify/ruby-lsp/releases/tag/v0.26.9
Scores
CVSS v3
9.8
EPSS
0.0043
EPSS Percentile
33.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-94
Status
published
Products (5)
rubygems/ruby-lsp
0 - 0.26.9RubyGems
Shopify/ruby-lsp
< 0.26.9
shopify/ruby_lsp
< 0.10.2
shopify/ruby_lsp
< 0.26.9
Shopify/Shopify.ruby-lsp
< 0.10.2
Published
Mar 31, 2026
Tracked Since
Mar 31, 2026