CVE-2026-33202
Ruby on Rails · Active Storage
A command injection vulnerability in Active Storage allows attackers to delete arbitrary files from the storage directory via unescaped glob metacharacters in blob keys.
Executive summary
A critical vulnerability in Ruby on Rails Active Storage permits unauthorized file deletion, potentially leading to significant system disruption.
Vulnerability
The DiskService#delete_prefixed function improperly handles blob keys by passing them to Dir.glob without escaping, allowing for directory traversal and arbitrary file deletion. The authentication level required depends on whether the application allows user-controlled input to influence blob key generation.
Business impact
The ability for an attacker to delete arbitrary files from the server storage directory poses a severe risk to data integrity and system availability. With a CVSS score of 9.1, this vulnerability could result in the destruction of critical application data, configuration files, or backups, leading to substantial downtime and potential loss of business continuity.
Remediation
Immediate Action: Upgrade to Ruby on Rails Active Storage versions 8.1.2.1, 8.0.4.1, or 7.2.3.1 immediately to implement the required input sanitization patch.
Proactive Monitoring: Review application logs for unusual file deletion patterns or errors generated by the DiskService component.
Compensating Controls: Implement strict input validation on all blob keys and utilize filesystem-level permissions to restrict the web application's ability to delete files outside of designated storage subdirectories.
Exploitation status
Public Exploit Available: No
Analyst recommendation
Given the critical severity of this file-deletion vulnerability, organizations should prioritize patching their Ruby on Rails environments. Ensure that all deployment pipelines are updated to reference the corrected versions to prevent unauthorized file system manipulation.