Description
Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, `DirectUploadsController` accepts arbitrary metadata from the client and persists it on the blob. Because internal flags like `identified` and `analyzed` are stored in the same metadata hash, a direct-upload client can set these flags to skip MIME detection and analysis. This allows an attacker to upload arbitrary content while claiming a safe `content_type`, bypassing any validations that rely on Active Storage's automatic content type identification. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.
Published: 2026-03-23
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Content type bypass leading to arbitrary file upload
Action: Patch immediately
AI Analysis

Impact

The vulnerability occurs when direct uploads are processed by Rails Active Storage: metadata supplied by the client is persisted on blobs, including internal flags such as identified and analyzed. An attacker can set these to skip automatic MIME type detection and content analysis, allowing arbitrary files to be stored under a benign content_type. This bypasses any validation that relies on content type identification, potentially leading to the execution of malicious code or the storage of unwanted content.

Affected Systems

The flaw affects Rails Active Storage, specifically versions before 8.1.2.1, 8.0.4.1, and 7.2.3.1. Any Rails application that uses Active Storage and has not applied the corresponding patch is vulnerable. The issue resides in the DirectUploadsController component of the Rails framework.

Risk and Exploitability

The vulnerability has a CVSS score of 5.3, indicating medium severity, and a very low EPSS probability of less than 1%. It is not listed in the CISA KEV catalog. Attackers can exploit it by crafting a direct-upload request that includes privileged metadata keys; the required conditions are served over the network, making the attack remote. The bypass allows uploading arbitrary data while deceiving the application into treating it as safe.

Generated by OpenCVE AI on March 24, 2026 at 19:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Rails 8.1.2.1 or newer, 8.0.4.1 or newer, or 7.2.3.1 or newer to apply the patch.

Generated by OpenCVE AI on March 24, 2026 at 19:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-qcfx-2mfw-w4cg Rails Active Storage has possible content type bypass via metadata in direct uploads
History

Tue, 24 Mar 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Rubyonrails
Rubyonrails rails
CPEs cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*
Vendors & Products Rubyonrails
Rubyonrails rails
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L'}

 cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Tue, 24 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1287
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L'}

threat_severity

Moderate

Tue, 24 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Rails
Rails activestorage
Vendors & Products Rails
Rails activestorage

Tue, 24 Mar 2026 02:30:00 +0000

Type Values Removed Values Added
Description Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, `DirectUploadsController` accepts arbitrary metadata from the client and persists it on the blob. Because internal flags like `identified` and `analyzed` are stored in the same metadata hash, a direct-upload client can set these flags to skip MIME detection and analysis. This allows an attacker to upload arbitrary content while claiming a safe `content_type`, bypassing any validations that rely on Active Storage's automatic content type identification. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.
Title Rails Active Storage has possible content type bypass via metadata in direct uploads
Weaknesses CWE-925
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Rails Activestorage
Rubyonrails Rails
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-24T15:12:50.569Z

Reserved: 2026-03-17T22:16:36.719Z

Link: CVE-2026-33173

cve-icon Vulnrichment

Updated: 2026-03-24T14:14:26.157Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-24T00:16:28.457

Modified: 2026-03-24T17:56:09.113

Link: CVE-2026-33173

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-23T23:21:29Z

Links: CVE-2026-33173 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T20:36:05Z

Weaknesses