Platform
ruby
Component
activestorage
Fixed in
8.1.1
8.0.1
7.2.4
8.1.2.1
CVE-2026-33195 is a Path Traversal vulnerability discovered in Ruby on Rails Active Storage. This flaw allows attackers to potentially read, write, or delete arbitrary files on the server by manipulating blob keys containing path traversal sequences like ../. The vulnerability impacts versions of Active Storage up to and including 8.1.2, and a fix is available in version 8.1.2.1.
The core of the vulnerability lies in the DiskService#path_for method within Active Storage, which fails to properly validate that the resolved filesystem path remains within the designated storage root directory. An attacker can exploit this by crafting a malicious blob key containing path traversal sequences. For example, a key like ../../../../etc/passwd could allow an attacker to read sensitive system files. The ability to write arbitrary files could lead to remote code execution if the attacker can overwrite executable files or inject malicious code into application assets. The blast radius extends to any application utilizing Active Storage with untrusted user input being used as blob keys.
This vulnerability was responsibly reported by Hackerone researcher [ksw9722](https://hackerone.com/ksw). As of the public disclosure date (2026-03-23), there is no indication of active exploitation in the wild. The EPSS score is likely to be medium, given the potential impact and the requirement for crafted input. No KEV listing exists at this time.
Exploit Status
EPSS
0.03% (9% percentile)
CISA SSVC
The primary mitigation is to upgrade to Ruby on Rails Active Storage version 8.1.2.1 or later, which includes the necessary validation to prevent path traversal. If upgrading immediately is not feasible, consider implementing input validation on blob keys to sanitize against path traversal sequences before they are used. Web application firewalls (WAFs) configured to detect and block requests containing path traversal patterns can provide an additional layer of defense. Regularly review and audit Active Storage configurations to ensure that blob keys are handled securely and that user input is properly validated.
Actualice Active Storage a la versión 8.1.2.1, 8.0.4.1 o 7.2.3.1, o superior, según corresponda a su versión de Rails. Esto corrige la vulnerabilidad de path traversal en DiskService.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33195 is a Path Traversal vulnerability in Ruby on Rails Active Storage versions 8.1.2 and earlier, allowing attackers to potentially read, write, or delete arbitrary files.
You are affected if you are using Ruby on Rails Active Storage version 8.1.2 or earlier. Upgrade to 8.1.2.1 or later to mitigate the risk.
Upgrade to Ruby on Rails Active Storage version 8.1.2.1 or later. As a temporary workaround, validate blob keys to prevent path traversal sequences.
As of the public disclosure date, there is no evidence of active exploitation in the wild.
Refer to the official Ruby on Rails security advisories for detailed information and updates: [https://github.com/rails/rails/security/advisories/GHSA-xxxx-xxxx-xxxx](https://github.com/rails/rails/security/advisories/GHSA-xxxx-xxxx-xxxx)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your Gemfile.lock file and we'll tell you instantly if you're affected.