CVE-2026-33195
Rails Active Storage has possible Path Traversal in DiskService
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
7th
Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, Active Storage's `DiskService#path_for` does not validate that the resolved filesystem path remains within the storage root directory. If a blob key containing path traversal sequences (e.g. `../`) is used, it could allow reading, writing, or deleting arbitrary files on the server. Blob keys are expected to be trusted strings, but some applications could be passing user input as keys and would be affected. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.
| CWE | CWE-22 |
| Vendor | rails |
| Product | activestorage |
| Published | Mar 23, 2026 |
| Last Updated | Mar 25, 2026 |
Stay Ahead of the Next One
Get instant alerts for rails activestorage
Be the first to know when new unknown vulnerabilities affecting rails activestorage are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
rails / activestorage
>= 8.1.0.beta1, < 8.1.2.1 >= 8.0.0.beta1, < 8.0.4.1 < 7.2.3.1
References
github.com: https://github.com/rails/rails/security/advisories/GHSA-9xrj-h377-fr87 github.com: https://github.com/rails/rails/commit/4933c1e3b8c1bb04925d60347be9f69270392f2c github.com: https://github.com/rails/rails/commit/9b06fbc0f504b8afe333f33d19548f3b85fbe655 github.com: https://github.com/rails/rails/commit/a290c8a1ec189d793aa6d7f2570b6a763f675348 github.com: https://github.com/rails/rails/releases/tag/v7.2.3.1 github.com: https://github.com/rails/rails/releases/tag/v8.0.4.1 github.com: https://github.com/rails/rails/releases/tag/v8.1.2.1