CVE-2026-33202 - Vulnerability Analysis
CriticalCVSS: 9.1Last Updated: March 24, 2026
Rails Active Storage - File Deletion
Published: March 24, 2026Updated: March 24, 2026Remote Exploitable
Overview
Rails Active Storage < 8.1.2.1, 8.0.4.1, and 7.2.3.1 contains a file deletion vulnerability caused by unescaped glob metacharacters in blob keys passed to Dir.glob, letting attackers delete unintended files, exploit requires attacker-controlled blob keys.
Severity & Score
Severity: Critical
CVSS Score: 9.1
Impact
Attackers can delete unintended files from storage, potentially causing data loss or service disruption.
Mitigation
Update to versions 8.1.2.1, 8.0.4.1, or 7.2.3.1 or later.
References
- https://github.com/rails/rails/commit/8c9676b803820110548cdb7523800db43bc6874c
- https://github.com/rails/rails/commit/955284d26e469a9c026a4eee5b21f0414ab0bccf
- https://github.com/rails/rails/commit/fa19073546360856e9f4dab221fc2c5d73a45e82
- https://github.com/rails/rails/releases/tag/v7.2.3.1
- https://github.com/rails/rails/releases/tag/v8.0.4.1
- https://github.com/rails/rails/releases/tag/v8.1.2.1
- https://github.com/rails/rails/security/advisories/GHSA-73f9-jhhh-hr5m
Related Resources
Details
- CVE ID
- CVE-2026-33202
- Severity
- Critical
- CVSS Score
- 9.1
- Type
- path_traversal
- Status
- confirmed
CWE
- CWE-74
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H