CVE-2026-33202

CWE-74 CWE-22 — Path Traversal8 documents7 sources

Severity

6.6MEDIUM

EPSS

0.0%

top 92.81%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Rails Activestorage Rubyonrails Rails

Timeline

PublishedMar 24

Description

Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, Active Storage's `DiskService#delete_prefixed` passes blob keys directly to `Dir.glob` without escaping glob metacharacters. If a blob key contains attacker-controlled input or custom-generated keys with glob metacharacters, it may be possible to delete unintended files from the storage directory. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Affected Packages3 packages

▶CVEListV5rails/activestorage< 7.2.3.1+2

▶RubyGemsactivestorage8.1.0.beta1 — 8.1.2.1+2

▶NVDrubyonrails/rails8.0.0 — 8.0.4.1+2

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

CVE-2026-33202: Active Storage allows users to attach cloud and local files in Rails applications↗2026-03-24

▶

OSV

Rails Active Storage has possible glob injection in its DiskService↗2026-03-23

▶

CVEList

Rails Active Storage has possible glob injection in its DiskService↗2026-03-23

▶

GHSA

Rails Active Storage has possible glob injection in its DiskService↗2026-03-23

▶

📋Vendor Advisories

Red Hat

rails: Active Storage: Unintended file deletion via crafted blob keys↗2026-03-23

▶

Debian

CVE-2026-33202: rails - Active Storage allows users to attach cloud and local files in Rails application...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-33202 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶