Description
Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, Active Storage's `DiskService#delete_prefixed` passes blob keys directly to `Dir.glob` without escaping glob metacharacters. If a blob key contains attacker-controlled input or custom-generated keys with glob metacharacters, it may be possible to delete unintended files from the storage directory. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.
Published: 2026-03-23
Score: 6.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: File Deletion
Action: Apply Patch
AI Analysis

Impact

Active Storage allows Rails applications to attach cloud and local files. In versions earlier than 7.2.3.1, 8.0.4.1, and 8.1.2.1, the DiskService#delete_prefixed method passed blob keys directly to Dir.glob without escaping glob metacharacters. If a blob key contains attacker‑controlled or specially crafted glob characters, the method may delete unintended files from the storage directory. This results in loss of data and can disrupt application availability, representing a moderate-severity vulnerability (CWE‑22 and CWE‑74).

Affected Systems

The vulnerability affects Ruby on Rails’ Active Storage component in all releases before Rails 7.2.3.1, 8.0.4.1, and 8.1.2.1. Affected installations include any Rails application that uses the unpatched DiskService for local file storage, regardless of deployment environment.

Risk and Exploitability

The CVSS score of 6.6 indicates moderate severity. EPSS is below 1 %, suggesting a low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. An attacker would need access to the application’s API or upload functionality to supply a malicious blob key, implying a remote or locally authenticated attack vector depending on exposure. If successful, the attacker could delete arbitrary files within the storage directory, compromising data integrity and potentially isolating application functionality.

Generated by OpenCVE AI on March 24, 2026 at 20:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Rails to version 7.2.3.1, 8.0.4.1, or 8.1.2.1 (or later) to apply the official patch.

Generated by OpenCVE AI on March 24, 2026 at 20:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-73f9-jhhh-hr5m Rails Active Storage has possible glob injection in its DiskService
History

Tue, 24 Mar 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Rubyonrails
Rubyonrails rails
CPEs cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*
Vendors & Products Rubyonrails
Rubyonrails rails
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}

 cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H'}

Tue, 24 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-22
References
Metrics threat_severity

None

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}

threat_severity

Moderate

Tue, 24 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Rails
Rails activestorage
Vendors & Products Rails
Rails activestorage

Tue, 24 Mar 2026 02:30:00 +0000

Type Values Removed Values Added
Description Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, Active Storage's `DiskService#delete_prefixed` passes blob keys directly to `Dir.glob` without escaping glob metacharacters. If a blob key contains attacker-controlled input or custom-generated keys with glob metacharacters, it may be possible to delete unintended files from the storage directory. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.
Title Rails Active Storage has possible glob injection in its DiskService
Weaknesses CWE-74
References
Metrics cvssV4_0

{'score': 6.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U'}

Subscriptions

Rails Activestorage
Rubyonrails Rails
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-24T15:44:19.018Z

Reserved: 2026-03-17T23:23:58.312Z

Link: CVE-2026-33202

cve-icon Vulnrichment

Updated: 2026-03-24T15:44:10.144Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-24T00:16:29.157

Modified: 2026-03-24T17:55:12.260

Link: CVE-2026-33202

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-23T23:34:52Z

Links: CVE-2026-33202 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T20:35:58Z

Weaknesses