CVE-2026-33173
Received Received - Intake
Metadata Injection in Rails Active Storage Allows Content-Type Bypass

Publication date: 2026-03-24

Last updated on: 2026-03-24

Assigner: GitHub, Inc.

Description
Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, `DirectUploadsController` accepts arbitrary metadata from the client and persists it on the blob. Because internal flags like `identified` and `analyzed` are stored in the same metadata hash, a direct-upload client can set these flags to skip MIME detection and analysis. This allows an attacker to upload arbitrary content while claiming a safe `content_type`, bypassing any validations that rely on Active Storage's automatic content type identification. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-24
Last Modified
2026-03-24
Generated
2026-06-16
AI Q&A
2026-03-24
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33173
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
rubyonrails rails to 7.2.3.1 (exc)
rubyonrails rails From 8.0.0 (inc) to 8.0.4.1 (exc)
rubyonrails rails From 8.1.0 (inc) to 8.1.2.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-925 The Android application uses a Broadcast Receiver that receives an Intent but does not properly verify that the Intent came from an authorized source.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-33173 is a vulnerability in the Active Storage component of Ruby on Rails, specifically in the DirectUploadsController. The issue arises because this controller accepts arbitrary metadata from clients during direct file uploads and stores it directly on the blob. Over time, internal flags such as "identified", "analyzed", and "composed" have been stored in this metadata hash. Because these internal keys are stored in the same metadata that users can control, an attacker can set these flags arbitrarily to bypass automatic MIME type detection and analysis.'}, {'type': 'paragraph', 'content': "This means an attacker can upload files with arbitrary content but claim a safe content type, effectively bypassing validations that rely on Active Storage's automatic content type identification. The vulnerability has been fixed by filtering out these protected internal keys from user-supplied metadata before saving the blob."}] [1, 2, 3, 4]

Impact Analysis

This vulnerability allows an attacker to upload arbitrary files while falsely claiming they have a safe content type by manipulating internal metadata flags. This can lead to security risks such as bypassing file type validations, potentially allowing malicious files to be uploaded and processed by the application.

As a result, your application might accept and store harmful content that could lead to further exploitation, such as executing malicious code, delivering malware, or compromising the integrity of your system.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability involves user-supplied metadata in Active Storage\'s DirectUploadsController being able to set internal state keys such as "analyzed", "identified", and "composed". Detection would involve inspecting direct upload requests to see if these protected metadata keys are being set by clients.'}, {'type': 'paragraph', 'content': 'Since the vulnerability is related to metadata in direct upload requests, you can monitor HTTP requests to the DirectUploadsController endpoint in your Rails application for metadata fields containing these protected keys.'}, {'type': 'paragraph', 'content': 'For example, you could use network monitoring tools or web server logs to search for upload requests containing JSON metadata with keys like "analyzed" or "identified".'}, {'type': 'list_item', 'content': 'Use grep or similar tools on your Rails server logs to find suspicious metadata keys: grep -iE \'"analyzed"|"identified"|"composed"\' log/production.log'}, {'type': 'list_item', 'content': 'Use a packet capture tool like tcpdump or Wireshark to capture HTTP POST requests to the DirectUploadsController endpoint and inspect the metadata payload for protected keys.'}, {'type': 'list_item', 'content': 'If you have access to the Rails console, you can query the Active Storage blobs metadata to check if any blobs have these protected keys set in their metadata.'}] [1, 2, 4]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'The primary mitigation is to upgrade your Ruby on Rails application to a patched version that includes the fix for CVE-2026-33173.'}, {'type': 'paragraph', 'content': 'Specifically, upgrade to Rails versions 7.2.3.1, 8.0.4.1, or 8.1.2.1 or later, which include filtering of user-supplied metadata to exclude the protected keys "analyzed", "identified", and "composed".'}, {'type': 'paragraph', 'content': 'This fix prevents users from setting or overriding these internal state keys in the metadata hash during direct uploads.'}, {'type': 'paragraph', 'content': 'Until you can upgrade, consider implementing additional validation or filtering on the server side to reject or sanitize metadata containing these protected keys.'}, {'type': 'paragraph', 'content': 'Also, monitor your application logs and network traffic for attempts to exploit this vulnerability as a temporary detection measure.'}] [1, 2, 3, 4]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33173. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart