CVE-2026-33202
Path Traversal in Rails Active Storage DiskService Allows File Deletion
Publication date: 2026-03-24
Last updated on: 2026-03-24
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| rubyonrails | rails | to 7.2.3.1 (exc) |
| rubyonrails | rails | From 8.0.0 (inc) to 8.0.4.1 (exc) |
| rubyonrails | rails | From 8.1.0 (inc) to 8.1.2.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-33202 is a security vulnerability in Ruby on Rails' Active Storage DiskService, specifically in the `DiskService#delete_prefixed` method."}, {'type': 'paragraph', 'content': 'The vulnerability occurs because this method passes blob keys directly to the Ruby method `Dir.glob` without escaping special glob metacharacters such as `*`, `?`, `[`, `]`, `{`, `}`, and `\\`.'}, {'type': 'paragraph', 'content': 'If blob keys contain attacker-controlled input or custom-generated keys with these glob metacharacters, it can cause `Dir.glob` to match and delete unintended files beyond the intended scope.'}, {'type': 'paragraph', 'content': 'This is effectively a glob injection attack that can lead to unintended file deletions within the storage directory.'}, {'type': 'paragraph', 'content': 'The vulnerability was fixed by introducing a method to escape all glob metacharacters in the file path before passing it to `Dir.glob`, ensuring only the intended files are matched and deleted.'}] [1, 2, 3, 4]
How can this vulnerability impact me? :
This vulnerability can lead to unintended deletion of files within the storage directory of a Rails application using Active Storage.
If an attacker can control or influence blob keys containing glob metacharacters, they could cause the application to delete files outside the intended scope.
This may result in data loss or unauthorized removal of files, potentially disrupting application functionality or causing loss of important data.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability arises from the use of unescaped glob metacharacters in blob keys passed to the DiskService#delete_prefixed method in Ruby on Rails Active Storage. To detect if your system is vulnerable, you should check the version of Rails Active Storage in use and whether it is prior to the patched versions 8.1.2.1, 8.0.4.1, or 7.2.3.1.
Additionally, you can audit your storage directory for files or blob keys containing glob metacharacters such as *, ?, [, ], {, }, and \ which could be exploited.
Since the vulnerability involves file deletion via glob pattern expansion, you can look for suspicious deletion logs or unexpected file removals in your storage directory.
There are no specific commands provided in the resources to detect the vulnerability directly on your system or network.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade your Ruby on Rails Active Storage to one of the patched versions: 8.1.2.1, 8.0.4.1, or 7.2.3.1, which include a fix that escapes all glob metacharacters in blob keys before passing them to Dir.glob.
This fix prevents unintended file deletions caused by glob injection attacks by neutralizing the special meaning of glob metacharacters in blob keys.
If immediate upgrade is not possible, review and sanitize any custom-generated blob keys or user inputs to ensure they do not contain glob metacharacters.
Audit your storage directory for any suspicious file deletions and consider implementing additional monitoring or access controls to limit the impact of potential exploitation.