Rails Active Storage has possible Path Traversal in DiskService

GHSA-9xrj-h377-fr87 · CVE-2026-33195

Published Mar 23, 2026 · Modified May 13, 2026

Description

Impact

Active Storage's DiskService#path_for does not validate that the resolved filesystem path remains within the storage root directory. If a blob key containing path traversal sequences (e.g. ../) is used, it could allow reading, writing, or deleting arbitrary files on the server. Blob keys are expected to be trusted strings, but some applications could be passing user input as keys and would be affected.

Releases

The fixed releases are available at the normal locations.

Credit

This issue was responsibly reported by Hackerone researcher ksw9722.

References

WEB https://github.com/rails/rails/security/advisories/GHSA-9xrj-h377-fr87
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-33195
WEB https://github.com/rails/rails/commit/4933c1e3b8c1bb04925d60347be9f69270392f2c
WEB https://github.com/rails/rails/commit/9b06fbc0f504b8afe333f33d19548f3b85fbe655
WEB https://github.com/rails/rails/commit/a290c8a1ec189d793aa6d7f2570b6a763f675348
PACKAGE https://github.com/rails/rails
WEB https://github.com/rails/rails/releases/tag/v7.2.3.1
WEB https://github.com/rails/rails/releases/tag/v8.0.4.1
WEB https://github.com/rails/rails/releases/tag/v8.1.2.1
WEB https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activestorage/CVE-2026-33195.yml

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes