Executive Summary

CVE-2026-34060 is an arbitrary code execution vulnerability in the Shopify ruby-lsp VS Code extension and ruby-lsp RubyGem. The vulnerability occurs because the rubyLsp.branch workspace setting in VS Code is interpolated without sanitization into a generated Gemfile. This means that if a user opens a project containing a malicious .vscode/settings.json file with a specially crafted branch setting, arbitrary Ruby code can be executed on the user's machine.

The root cause is improper control of code generation, where external input (the branch setting) is embedded directly into code without neutralizing special elements that could alter code behavior. This allows an attacker to execute code with the privileges of the user opening the workspace.

The issue was fixed by removing the rubyLsp.branch setting from the VS Code extension and the branch CLI flag from the ruby-lsp gem. The patched versions are ruby-lsp VS Code extension 0.10.2 and ruby-lsp gem 0.26.9 or later.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow an attacker to execute arbitrary Ruby code on your machine with your user privileges if you open a malicious repository containing a crafted .vscode/settings.json file and trust the workspace in VS Code or any other editor that applies workspace settings automatically.

The impact is significant because it can lead to unauthorized code execution, potentially compromising your system, stealing data, or performing other malicious actions under your user context.

Users who have disabled auto-updates or have ruby-lsp locked in Gemfiles must manually update to the fixed versions to mitigate this risk.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if your environment is using a vulnerable version of the Shopify ruby-lsp VS Code extension or ruby-lsp RubyGem prior to versions 0.10.2 and 0.26.9 respectively.

You can inspect your VS Code workspace settings for the presence of a .vscode/settings.json file that contains the rubyLsp.branch setting, which is the vector for this vulnerability.

To detect potentially malicious settings, you can run commands to search for the rubyLsp.branch setting in your project directories, for example:

• grep -r 'rubyLsp.branch' .vscode/
• grep -r 'rubyLsp.branch' .

Additionally, verify the installed versions of ruby-lsp and the VS Code extension:

• For the RubyGem: gem list ruby-lsp
• For the VS Code extension, check the installed version in VS Code extensions panel or run: code --list-extensions --show-versions | grep ruby-lsp

If the versions are older than 0.10.2 (VS Code extension) or 0.26.9 (ruby-lsp gem), your system is vulnerable.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability immediately, update the Shopify ruby-lsp VS Code extension to version 0.10.2 or later and the ruby-lsp RubyGem to version 0.26.9 or later.

If you have disabled auto-updates for the VS Code extension or have ruby-lsp locked in your Gemfile, manually perform these updates.

Additionally, avoid opening or trusting workspaces that contain untrusted or suspicious .vscode/settings.json files, especially those that include the rubyLsp.branch setting.

Removing or sanitizing the rubyLsp.branch setting from workspace settings can prevent the arbitrary code execution triggered by this vulnerability.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows arbitrary code execution when a user opens a project containing a malicious .vscode/settings.json file, potentially leading to unauthorized access or manipulation of user data on the affected system.

Such unauthorized code execution could result in data breaches or exposure of sensitive information, which may impact compliance with data protection regulations like GDPR or HIPAA that require safeguarding personal and sensitive data.

However, the provided information does not explicitly discuss or analyze the direct impact of this vulnerability on compliance with specific standards or regulations.

Useful 0 Not Useful 0