CVE-2026-34060
published 2026-03-31CVE-2026-34060: Ruby LSP is an implementation of the language server protocol for Ruby. Prior to Shopify.ruby-lsp version 0.10.2 and ruby-lsp version 0.26.9, the…
PriorityP262critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.48%
37.7th percentile
Ruby LSP is an implementation of the language server protocol for Ruby. Prior to Shopify.ruby-lsp version 0.10.2 and ruby-lsp version 0.26.9, the rubyLsp.branch VS Code workspace setting was interpolated without sanitization into a generated Gemfile, allowing arbitrary Ruby code execution when a user opens a project containing a malicious .vscode/settings.json. This issue has been patched in Shopify.ruby-lsp version 0.10.2 and ruby-lsp version 0.26.9.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | ruby-ruby-lsp | — | — |
| shopify | ruby-lsp | < 0.26.9 | 0.26.9 |
| shopify | ruby-lsp | >= 0 < 0.26.9 | 0.26.9 |
| shopify | ruby_lsp | < 0.10.2 | 0.10.2 |
| shopify | ruby_lsp | < 0.26.9 | 0.26.9 |
| shopify | shopify.ruby-lsp | < 0.10.2 | 0.10.2 |
Detection & IOCsextracted from sources · hover to see the quote
- →Look for malicious `.vscode/settings.json` files in project repositories containing a crafted `rubyLsp.branch` workspace setting with unsanitized Ruby code payloads ↗
- →Inspect generated Gemfiles for unexpected or injected Ruby code originating from the `rubyLsp.branch` setting interpolation ↗
- →Flag use of Shopify.ruby-lsp versions prior to 0.10.2 or ruby-lsp versions prior to 0.26.9 as vulnerable to this code injection ↗
- ·Exploitation requires a user to open a project containing a malicious `.vscode/settings.json`; this is a workspace-scoped setting, so the attack vector is supply-chain/repository-level (e.g., a malicious repo cloned by a developer) ↗
- ·Scope is local; exploitation requires the victim to open the malicious project in VS Code with the vulnerable ruby-lsp extension installed ↗
- ·Both the VS Code extension (Shopify.ruby-lsp < 0.10.2) and the gem (ruby-lsp < 0.26.9) are affected; patching requires updating both components ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.07.1HIGHCVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
osv7.1HIGH
vendor_debian7.1HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CVE-2026-34060: Ruby LSP is an implementation of the language server protocol for Ruby
osv·2026-03-31·CVSS 7.1
CVE-2026-34060 [HIGH] CVE-2026-34060: Ruby LSP is an implementation of the language server protocol for Ruby
Ruby LSP is an implementation of the language server protocol for Ruby. Prior to Shopify.ruby-lsp version 0.10.2 and ruby-lsp version 0.26.9, the rubyLsp.branch VS Code workspace setting was interpolated without sanitization into a generated Gemfile, allowing arbitrary Ruby code execution when a user opens a project containing a malicious .vscode/settings.json. This issue has been patched in Shopify.ruby-lsp version 0.10.2 and ruby-lsp version 0.26.9.
OSV
Ruby LSP has arbitrary code execution through branch setting
osv·2026-03-27
CVE-2026-34060 [HIGH] Ruby LSP has arbitrary code execution through branch setting
Ruby LSP has arbitrary code execution through branch setting
**Summary**
The `rubyLsp.branch` VS Code workspace setting was interpolated without sanitization into a generated Gemfile, allowing arbitrary Ruby code execution when a user opens a project containing a malicious `.vscode/settings.json`.
Other editors that support workspace setting that get automatically applied upon opening the editor and trusting the workspace are also impacted since the server is the component that performs the interpolation.
**Details**
The `branch` CLI argument passed to the `ruby-lsp` server was interpolated in the generated `.ruby-lsp/Gemfile` without sanitization. Editors that allow defining settings saved at the workspace level (e.g.: `.vscode/settings.json`) that gets automatically applied open the
GHSA
Ruby LSP has arbitrary code execution through branch setting
ghsa·2026-03-27
CVE-2026-34060 [HIGH] CWE-94 Ruby LSP has arbitrary code execution through branch setting
Ruby LSP has arbitrary code execution through branch setting
**Summary**
The `rubyLsp.branch` VS Code workspace setting was interpolated without sanitization into a generated Gemfile, allowing arbitrary Ruby code execution when a user opens a project containing a malicious `.vscode/settings.json`.
Other editors that support workspace setting that get automatically applied upon opening the editor and trusting the workspace are also impacted since the server is the component that performs the interpolation.
**Details**
The `branch` CLI argument passed to the `ruby-lsp` server was interpolated in the generated `.ruby-lsp/Gemfile` without sanitization. Editors that allow defining settings saved at the workspace level (e.g.: `.vscode/settings.json`) that gets automatically applied open the
Debian
CVE-2026-34060: ruby-ruby-lsp - Ruby LSP is an implementation of the language server protocol for Ruby. Prior to...
vendor_debian·2026·CVSS 7.1
CVE-2026-34060 [HIGH] CVE-2026-34060: ruby-ruby-lsp - Ruby LSP is an implementation of the language server protocol for Ruby. Prior to...
Ruby LSP is an implementation of the language server protocol for Ruby. Prior to Shopify.ruby-lsp version 0.10.2 and ruby-lsp version 0.26.9, the rubyLsp.branch VS Code workspace setting was interpolated without sanitization into a generated Gemfile, allowing arbitrary Ruby code execution when a user opens a project containing a malicious .vscode/settings.json. This issue has been patched in Shopify.ruby-lsp version 0.10.2 and ruby-lsp version 0.26.9.
Scope: local
forky: open
sid: open
No detection rules found.
No public exploits indexed.
2026-03-31
Published