Description
Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, Active Storage's `DiskService#path_for` does not validate that the resolved filesystem path remains within the storage root directory. If a blob key containing path traversal sequences (e.g. `../`) is used, it could allow reading, writing, or deleting arbitrary files on the server. Blob keys are expected to be trusted strings, but some applications could be passing user input as keys and would be affected. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.
Published: 2026-03-23
Score: 8 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary File Access
Action: Apply Patch
AI Analysis

Impact

A path traversal weakness exists in the DiskService#path_for routine of Ruby on Rails Active Storage. The routine builds a file system path from a blob key without confirming that the resulting path stays within the storage root. If a key containing sequences like "../" is supplied, the application can read, overwrite, or delete files anywhere on the host file system. This flaw is classified as a path traversal vulnerability (CWE‑22) and can compromise confidentiality, integrity, and availability whenever the blob key originates from untrusted sources.

Affected Systems

The weakness affects all Rails releases prior to 8.1.2.1, 8.0.4.1, and 7.2.3.1. Rails applications that accept user‑controlled values as the blob key are at risk. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch that validates the resolved path, and later releases are not vulnerable.

Risk and Exploitability

The vulnerability receives a high severity rating of 8 on the common assessment scale. Current exploitation likelihood is very low, as indicated by a probability score below 1 percent, and it is not listed in the known exploited vulnerabilities catalog. The attack vector is likely remote via HTTP requests that provide a malicious blob key, but local execution within the Rails process can also trigger the flaw. Because the flaw permits arbitrary file manipulation, remedial action is imperative.

Generated by OpenCVE AI on March 24, 2026 at 20:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Rails to 8.1.2.1, 8.0.4.1, or 7.2.3.1.
  • Ensure blob keys are generated internally and not taken from user input.
  • Review any custom code that uses DiskService to verify no pathname manipulation.
  • Monitor logs for unexpected file operations.

Generated by OpenCVE AI on March 24, 2026 at 20:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-9xrj-h377-fr87 Rails Active Storage has possible Path Traversal in DiskService
History

Tue, 24 Mar 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Rubyonrails
Rubyonrails rails
CPEs cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*
Vendors & Products Rubyonrails
Rubyonrails rails
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N'}

 cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Tue, 24 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N'}

threat_severity

Important

Tue, 24 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Rails
Rails activestorage
Vendors & Products Rails
Rails activestorage

Tue, 24 Mar 2026 02:30:00 +0000

Type Values Removed Values Added
Description Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, Active Storage's `DiskService#path_for` does not validate that the resolved filesystem path remains within the storage root directory. If a blob key containing path traversal sequences (e.g. `../`) is used, it could allow reading, writing, or deleting arbitrary files on the server. Blob keys are expected to be trusted strings, but some applications could be passing user input as keys and would be affected. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.
Title Rails Active Storage has possible Path Traversal in DiskService
Weaknesses CWE-22
References
Metrics cvssV4_0

{'score': 8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U'}

Subscriptions

Rails Activestorage
Rubyonrails Rails
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-25T03:56:06.239Z

Reserved: 2026-03-17T22:16:36.721Z

Link: CVE-2026-33195

cve-icon Vulnrichment

Updated: 2026-03-24T14:11:13.687Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-24T00:16:28.987

Modified: 2026-03-24T17:55:45.480

Link: CVE-2026-33195

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-23T23:31:41Z

Links: CVE-2026-33195 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T20:35:59Z

Weaknesses