CVE-2026-33195 - Vulnerability Analysis
CriticalCVSS: 9.8Last Updated: March 24, 2026
Rails Active Storage - Path Traversal
Published: March 24, 2026Updated: March 24, 2026Remote Exploitable
Overview
Rails Active Storage < 8.1.2.1, < 8.0.4.1, and < 7.2.3.1 contains a path traversal vulnerability caused by lack of validation in DiskService#path_for, letting attackers read, write, or delete arbitrary files if user input is passed as blob keys.
Severity & Score
Severity: Critical
CVSS Score: 9.8
Impact
Attackers can read, modify, or delete arbitrary files on the server, potentially leading to data loss or system compromise.
Mitigation
Update to versions 8.1.2.1, 8.0.4.1, 7.2.3.1 or later.
References
- https://github.com/rails/rails/releases/tag/v7.2.3.1
- https://github.com/rails/rails/releases/tag/v8.0.4.1
- https://github.com/rails/rails/releases/tag/v8.1.2.1
- https://github.com/rails/rails/security/advisories/GHSA-9xrj-h377-fr87
- https://github.com/rails/rails/commit/4933c1e3b8c1bb04925d60347be9f69270392f2c
- https://github.com/rails/rails/commit/9b06fbc0f504b8afe333f33d19548f3b85fbe655
- https://github.com/rails/rails/commit/a290c8a1ec189d793aa6d7f2570b6a763f675348
Related Resources
Details
- CVE ID
- CVE-2026-33195
- Severity
- Critical
- CVSS Score
- 9.8
- Type
- path_traversal
- Status
- confirmed
CWE
- CWE-22
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H