cbcvebase.
CVE-2026-34060
published 2026-03-31

CVE-2026-34060: Ruby LSP is an implementation of the language server protocol for Ruby. Prior to Shopify.ruby-lsp version 0.10.2 and ruby-lsp version 0.26.9, the…

PriorityP262critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.48%
37.7th percentile
Ruby LSP is an implementation of the language server protocol for Ruby. Prior to Shopify.ruby-lsp version 0.10.2 and ruby-lsp version 0.26.9, the rubyLsp.branch VS Code workspace setting was interpolated without sanitization into a generated Gemfile, allowing arbitrary Ruby code execution when a user opens a project containing a malicious .vscode/settings.json. This issue has been patched in Shopify.ruby-lsp version 0.10.2 and ruby-lsp version 0.26.9.

Affected

6 ranges
VendorProductVersion rangeFixed in
debianruby-ruby-lsp
shopifyruby-lsp< 0.26.90.26.9
shopifyruby-lsp>= 0 < 0.26.90.26.9
shopifyruby_lsp< 0.10.20.10.2
shopifyruby_lsp< 0.26.90.26.9
shopifyshopify.ruby-lsp< 0.10.20.10.2

Detection & IOCsextracted from sources · hover to see the quote

  • Look for malicious `.vscode/settings.json` files in project repositories containing a crafted `rubyLsp.branch` workspace setting with unsanitized Ruby code payloads
  • Inspect generated Gemfiles for unexpected or injected Ruby code originating from the `rubyLsp.branch` setting interpolation
  • Flag use of Shopify.ruby-lsp versions prior to 0.10.2 or ruby-lsp versions prior to 0.26.9 as vulnerable to this code injection
  • ·Exploitation requires a user to open a project containing a malicious `.vscode/settings.json`; this is a workspace-scoped setting, so the attack vector is supply-chain/repository-level (e.g., a malicious repo cloned by a developer)
  • ·Scope is local; exploitation requires the victim to open the malicious project in VS Code with the vulnerable ruby-lsp extension installed
  • ·Both the VS Code extension (Shopify.ruby-lsp < 0.10.2) and the gem (ruby-lsp < 0.26.9) are affected; patching requires updating both components

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.07.1HIGHCVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
osv7.1HIGH
vendor_debian7.1HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.