CVE-2026-33173

CWE-925 CWE-12878 documents7 sources

Severity

5.3MEDIUM

EPSS

0.0%

top 97.72%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Rails Activestorage Rubyonrails Rails

Timeline

PublishedMar 24

Description

Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, `DirectUploadsController` accepts arbitrary metadata from the client and persists it on the blob. Because internal flags like `identified` and `analyzed` are stored in the same metadata hash, a direct-upload client can set these flags to skip MIME detection and analysis. This allows an attacker to upload arbitrary content while claiming a safe `content_type`, bypass…

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Affected Packages3 packages

▶CVEListV5rails/activestorage< 7.2.3.1+2

▶RubyGemsactivestorage8.1.0.beta1 — 8.1.2.1+2

▶NVDrubyonrails/rails8.0.0 — 8.0.4.1+2

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

CVE-2026-33173: Active Storage allows users to attach cloud and local files in Rails applications↗2026-03-24

▶

CVEList

Rails Active Storage has possible content type bypass via metadata in direct uploads↗2026-03-23

▶

OSV

Rails Active Storage has possible content type bypass via metadata in direct uploads↗2026-03-23

▶

GHSA

Rails Active Storage has possible content type bypass via metadata in direct uploads↗2026-03-23

▶

📋Vendor Advisories

Red Hat

Rails: Active Storage: Rails Active Storage: Content type bypass via arbitrary metadata in direct uploads↗2026-03-23

▶

Debian

CVE-2026-33173: rails - Active Storage allows users to attach cloud and local files in Rails application...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-33173 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶