Rails Active Storage has possible Path Traversal in DiskService
Summary
| CVE | CVE-2026-33195 |
|---|---|
| State | PUBLISHED |
| Assigner | GitHub_M |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-03-24 00:16:28 UTC |
| Updated | 2026-06-30 03:18:37 UTC |
| Description | Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, Active Storage's `DiskService#path_for` does not validate that the resolved filesystem path remains within the storage root directory. If a blob key containing path traversal sequences (e.g. `../`) is used, it could allow reading, writing, or deleting arbitrary files on the server. Blob keys are expected to be trusted strings, but some applications could be passing user input as keys and would be affected. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch. |
Risk And Classification
Primary CVSS: v4.0 8 HIGH from [email protected]
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Problem Types: CWE-22 | CWE-22 CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') | CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 4.0 | [email protected] | Secondary | 8 | HIGH | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/C... |
| 4.0 | CNA | DECLARED | 8 | HIGH | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U |
| 3.1 | [email protected] | Primary | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| 3.1 | ADP | CVSS | 8.1 | HIGH | CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N |
| 3.1 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | Secondary | 8.1 | HIGH | CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N |
CVSS v4.0 Breakdown
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVSS v3.1 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Rubyonrails | Rails | All | All | All | All |
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Rails | Activestorage | affected >= 8.1.0.beta1, < 8.1.2.1 | Not specified |
| CNA | Rails | Activestorage | affected >= 8.0.0.beta1, < 8.0.4.1 | Not specified |
| CNA | Rails | Activestorage | affected < 7.2.3.1 | Not specified |
| ADP | Red Hat | Red Hat 3scale API Management Platform 2 | Not specified | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| github.com/rails/rails/commit/a290c8a1ec189d793aa6d7f2570b6a763f675348 | [email protected] | github.com | Patch |
| access.redhat.com/security/cve/CVE-2026-33195 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| github.com/rails/rails/commit/4933c1e3b8c1bb04925d60347be9f69270392f2c | [email protected] | github.com | Patch |
| github.com/rails/rails/commit/9b06fbc0f504b8afe333f33d19548f3b85fbe655 | [email protected] | github.com | Patch |
| github.com/rails/rails/security/advisories/GHSA-9xrj-h377-fr87 | [email protected] | github.com | Vendor Advisory |
| security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-33195.json | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | security.access.redhat.com | |
| github.com/rails/rails/releases/tag/v7.2.3.1 | [email protected] | github.com | Release Notes |
| bugzilla.redhat.com/show_bug.cgi | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | bugzilla.redhat.com | |
| github.com/rails/rails/releases/tag/v8.0.4.1 | [email protected] | github.com | Release Notes |
| github.com/rails/rails/releases/tag/v8.1.2.1 | [email protected] | github.com | Release Notes |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| ADP | 2026-03-24T00:01:50.330Z | Reported to Red Hat. |
| ADP | 2026-03-23T23:31:41.785Z | Made public. |
Workarounds
ADP: To mitigate this issue, ensure that blob keys used by Active Storage are not derived from untrusted user input. Applications should validate and sanitize any user-provided data before it is used in blob keys to prevent path traversal sequences.