CVE-2026-33195
Path Traversal in Rails Active Storage Allows Arbitrary File Access
Publication date: 2026-03-24
Last updated on: 2026-03-24
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| rubyonrails | rails | to 7.2.3.1 (exc) |
| rubyonrails | rails | From 8.0.0 (inc) to 8.0.4.1 (exc) |
| rubyonrails | rails | From 8.1.0 (inc) to 8.1.2.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': "This vulnerability can have serious security impacts by allowing an attacker to perform directory traversal attacks on the server hosting the Rails application. Specifically, an attacker could read, write, or delete arbitrary files on the server's filesystem outside the intended storage directory."}, {'type': 'paragraph', 'content': 'If your application uses user input as blob keys without proper validation, it could be exploited to access sensitive files, modify critical data, or disrupt application functionality by deleting files.'}, {'type': 'paragraph', 'content': 'The vulnerability increases the risk of unauthorized data exposure, data tampering, and potential service disruption, which could compromise the integrity and confidentiality of your system.'}] [1, 2, 3, 4]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-33195 is a path traversal vulnerability in the Active Storage DiskService component of the Ruby on Rails framework. The vulnerability occurs because the method `DiskService#path_for` does not properly validate that the resolved filesystem path remains within the designated storage root directory. If a blob key containing path traversal sequences such as "../" is used, it can cause the resolved path to escape the storage root directory.'}, {'type': 'paragraph', 'content': "This flaw allows an attacker to potentially read, write, or delete arbitrary files on the server's filesystem. Blob keys are generally expected to be trusted strings, but if an application uses untrusted user input as blob keys, it becomes vulnerable to exploitation."}, {'type': 'paragraph', 'content': 'The vulnerability was fixed by enhancing the `path_for` method to strictly validate blob keys, raising an `InvalidKeyError` if the key contains dot segments ("." or ".."), results in a path outside the storage root, is blank, contains null bytes, or has incompatible encoding. The controller was also updated to handle these errors properly, and extensive tests were added to prevent such attacks.'}] [1, 3, 4]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability involves path traversal via malicious blob keys in Rails ActiveStorage\'s DiskService. Detection involves identifying attempts to use blob keys containing path traversal sequences such as ".." or "../.." that escape the storage root directory.'}, {'type': 'paragraph', 'content': 'Since the vulnerability is triggered by malformed or malicious blob keys, monitoring application logs or HTTP requests for blob keys containing dot segments ("." or ".."), null bytes, or invalid encodings can help detect exploitation attempts.'}, {'type': 'paragraph', 'content': 'Rails controllers handling ActiveStorage requests now raise an `ActiveStorage::InvalidKeyError` for such invalid keys and respond with HTTP status codes 404 (Not Found) or 422 (Unprocessable Entity). Therefore, checking for these HTTP error responses in logs related to ActiveStorage endpoints may indicate attempts to exploit this vulnerability.'}, {'type': 'paragraph', 'content': 'Specific commands are not provided in the resources, but suggested detection steps include:'}, {'type': 'list_item', 'content': 'Review web server or application logs for requests to ActiveStorage endpoints with blob keys containing path traversal sequences like "../" or dot segments.'}, {'type': 'list_item', 'content': 'Search logs for HTTP 404 or 422 responses from ActiveStorage controllers that may indicate rejected invalid keys.'}, {'type': 'list_item', 'content': "Use grep or similar tools to find suspicious blob keys in logs, e.g., `grep -E '\\.\\.|\\.\\/\\.' /path/to/logs`."}, {'type': 'list_item', 'content': 'Monitor for exceptions named `ActiveStorage::InvalidKeyError` in application error logs.'}] [1, 3, 4]
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade Rails ActiveStorage to a patched version that includes the fix for CVE-2026-33195.
- Upgrade to ActiveStorage versions 8.1.2.1, 8.0.4.1, or 7.2.3.1 or later, which contain the patch that enforces strict validation of blob keys.
The patch enforces validation in the `DiskService#path_for` method to reject blob keys containing path traversal sequences, null bytes, empty strings, or incompatible encodings by raising `ActiveStorage::InvalidKeyError`.
- Ensure that your application does not use untrusted user input directly as blob keys. Sanitize or validate any user-supplied keys before passing them to ActiveStorage.
- Implement or verify error handling in your application to properly catch and respond to `InvalidKeyError` exceptions.
These steps reduce the risk of arbitrary file read/write/delete operations on the server filesystem via path traversal attacks in ActiveStorage.