Platform
ruby
Component
ruby-lsp
Fixed in
0.26.10
0.10.3
CVE-2026-34060 describes a code execution vulnerability affecting Ruby LSP, an implementation of the language server protocol for Ruby. The vulnerability stems from unsanitized interpolation of the rubyLsp.branch VS Code workspace setting into a generated Gemfile, potentially leading to arbitrary Ruby code execution. This impacts versions of Ruby LSP less than or equal to 0.26.9. The vulnerability is fixed in Ruby LSP version 0.26.9.
CVE-2026-34060 poses a significant risk to users of the ruby-lsp extension within Visual Studio Code, particularly those working on Ruby projects. The vulnerability stems from the unsanitized interpolation of the rubyLsp.branch VS Code workspace setting directly into a generated Gemfile. An attacker could craft a malicious .vscode/settings.json file, embedding arbitrary Ruby code within the rubyLsp.branch setting. When a user opens a project containing this modified settings file, the ruby-lsp extension will process it, generating a Gemfile that includes the attacker's injected Ruby code. This code will then be executed during the Gemfile resolution process, effectively granting the attacker remote code execution (RCE) within the user's development environment. The blast radius extends to any data accessible by the user's development environment, including source code, configuration files, and potentially credentials stored locally. The severity is amplified by the ease of distributing malicious .vscode/settings.json files through version control systems or by tricking users into opening compromised projects. This could lead to data theft, system compromise, and further malicious activity originating from the developer's machine.
As of the current assessment, there are no publicly available exploitation reports or proof-of-concept (POC) code for CVE-2026-34060, according to KEV. However, the vulnerability's nature – allowing arbitrary Ruby code execution – makes it a high-priority concern. The lack of public exploits does not diminish the risk, as the vulnerability is relatively straightforward to understand and potentially exploit. The ease of crafting a malicious .vscode/settings.json file, combined with the potential for widespread distribution through version control, suggests that exploitation is possible. Organizations using the ruby-lsp extension should prioritize patching to prevent potential future exploitation.
Exploit Status
EPSS
0.08% (23% percentile)
To address CVE-2026-34060, immediate action is required. The primary mitigation is to upgrade the shopify.ruby-lsp extension to version 0.10.2 or the ruby-lsp extension to version 0.26.9. These versions contain the necessary fix to properly sanitize the rubyLsp.branch setting. If upgrading is not immediately possible, a temporary workaround involves manually inspecting and sanitizing the .vscode/settings.json file in each Ruby project to ensure no malicious code is present within the rubyLsp.branch setting. This is a manual and potentially error-prone process. After applying the upgrade or workaround, verify the fix by attempting to open a project with a known malicious .vscode/settings.json file (if available for testing purposes) and confirming that the malicious code is not executed. Regularly review and audit project settings files to prevent future vulnerabilities of this nature.
Actualice la gema ruby-lsp a la versión 0.26.9 o superior. Esto corrige la vulnerabilidad de ejecución de código arbitrario. Ejecute `gem update ruby-lsp` para actualizar.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-34060 is a vulnerability in the ruby-lsp extension for Visual Studio Code that allows arbitrary Ruby code execution through a malicious .vscode/settings.json file.
Users of the shopify.ruby-lsp version prior to 0.10.2 and ruby-lsp version prior to 0.26.9 are potentially affected by this vulnerability.
Upgrade the shopify.ruby-lsp extension to version 0.10.2 or the ruby-lsp extension to version 0.26.9 to resolve this issue.
Currently, there are no public exploitation reports or proof-of-concept code available for CVE-2026-34060, but the potential for exploitation exists.
Refer to the National Vulnerability Database (NVD) entry for CVE-2026-34060 for more detailed information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your Gemfile.lock file and we'll tell you instantly if you're affected.