CVE-2026-33658
Received Received - Intake
Denial of Service via Unrestricted HTTP Range in Rails Active Storage

Publication date: 2026-03-26

Last updated on: 2026-04-30

Assigner: GitHub, Inc.

Description
Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 Active Storage's proxy controller does not limit the number of byte ranges in an HTTP Range header. A request with thousands of small ranges causes disproportionate CPU usage compared to a normal request for the same file, possibly resulting in a DoS vulnerability. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-26
Last Modified
2026-04-30
Generated
2026-06-16
AI Q&A
2026-03-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33658
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
rubyonrails rails to 7.2.3.1 (exc)
rubyonrails rails From 8.0.0 (inc) to 8.0.4.1 (exc)
rubyonrails rails From 8.1.0 (inc) to 8.1.2.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Active Storage, a feature in Rails applications that allows users to attach cloud and local files. Prior to certain fixed versions, the proxy controller in Active Storage did not limit the number of byte ranges specified in an HTTP Range header.

An attacker can send a request with thousands of small byte ranges, which causes disproportionate CPU usage compared to a normal request for the same file. This excessive CPU consumption can lead to a denial of service (DoS) condition.

The issue has been patched in versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 of Active Storage.

Impact Analysis

This vulnerability can impact you by allowing an attacker to cause a denial of service (DoS) on your Rails application using Active Storage.

By sending specially crafted HTTP requests with thousands of small byte ranges, the attacker can cause excessive CPU usage on your server, potentially degrading performance or making the service unavailable to legitimate users.

Mitigation Strategies

To mitigate this vulnerability, update Active Storage to one of the patched versions: 8.1.2.1, 8.0.4.1, or 7.2.3.1.

Compliance Impact

The vulnerability described involves a denial-of-service (DoS) risk due to excessive CPU usage triggered by HTTP Range header abuse in Active Storage's proxy controller. There is no information provided about any impact on data confidentiality, integrity, or privacy that would directly relate to compliance with standards like GDPR or HIPAA.

Therefore, based on the available information, this vulnerability does not appear to affect compliance with common data protection regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33658. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart