CVE-2026-33195
Ruby on Rails · Active Storage
A path traversal vulnerability in Active Storage allows attackers to read, write, or delete arbitrary files on the server via malicious blob keys.
Executive summary
A critical path traversal vulnerability in Ruby on Rails Active Storage enables attackers to perform unauthorized file system operations, threatening server-wide data integrity.
Vulnerability
The DiskService#path_for function fails to validate that resolved filesystem paths remain within the storage root. If an application uses attacker-influenced strings as blob keys, it permits arbitrary file system access outside the intended directory.
Business impact
With a CVSS score of 9.8, this vulnerability represents a critical threat, potentially allowing complete server compromise. An attacker could read sensitive configuration files, overwrite critical system binaries, or delete essential data, leading to total service loss and unauthorized disclosure of internal information.
Remediation
Immediate Action: Apply the vendor-provided patch by upgrading Active Storage to versions 8.1.2.1, 8.0.4.1, or 7.2.3.1.
Proactive Monitoring: Monitor server access logs for path traversal attempts, specifically looking for ../ sequences in requests interacting with file storage services.
Compensating Controls: Deploy a Web Application Firewall (WAF) configured to block requests containing directory traversal patterns directed at the storage backend.
Exploitation status
Public Exploit Available: No
Analyst recommendation
This vulnerability is highly severe and requires immediate remediation. Organizations utilizing Active Storage must update their environments to the latest versions to prevent attackers from gaining unauthorized access to the underlying filesystem.