CVE-2026-33202

Rails Active Storage has possible glob injection in its DiskService

Severity Score

6.6

*CVSS v4

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Attend

*SSVC

Descriptions

Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, Active Storage's `DiskService#delete_prefixed` passes blob keys directly to `Dir.glob` without escaping glob metacharacters. If a blob key contains attacker-controlled input or custom-generated keys with glob metacharacters, it may be possible to delete unintended files from the storage directory. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.

Active Storage permite a los usuarios adjuntar archivos locales y en la nube en aplicaciones Rails. Antes de las versiones 8.1.2.1, 8.0.4.1 y 7.2.3.1, el 'DiskService#delete_prefixed' de Active Storage pasa las claves de blob directamente a 'Dir.glob' sin escapar los metacaracteres glob. Si una clave de blob contiene entrada controlada por el atacante o claves generadas a medida con metacaracteres glob, puede ser posible eliminar archivos no deseados del directorio de almacenamiento. Las versiones 8.1.2.1, 8.0.4.1 y 7.2.3.1 contienen un parche.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Attack Requirements

None

Privileges Required

None

User Interaction

None

System

Vulnerable | Subsequent

Confidentiality

None

Integrity

High

None

Availability

None

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

None

Automatable

Yes

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2026-03-17 CVE Reserved
2026-03-23 CVE Published
2026-03-24 CVE Updated
2026-03-29 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CAPEC

References (7)

URL	Tag	Source
https://github.com/rails/rails/releases/tag/v7.2.3.1	Release Notes
https://github.com/rails/rails/releases/tag/v8.0.4.1	Release Notes
https://github.com/rails/rails/releases/tag/v8.1.2.1	Release Notes

URL	Date	SRC

URL	Date	SRC
https://github.com/rails/rails/commit/8c9676b803820110548cdb7523800db43bc6874c	2026-03-24
https://github.com/rails/rails/commit/955284d26e469a9c026a4eee5b21f0414ab0bccf	2026-03-24
https://github.com/rails/rails/commit/fa19073546360856e9f4dab221fc2c5d73a45e82	2026-03-24

URL	Date	SRC
https://github.com/rails/rails/security/advisories/GHSA-73f9-jhhh-hr5m	2026-03-24

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Rubyonrails Search vendor "Rubyonrails"		Rails Search vendor "Rubyonrails" for product "Rails"				< 7.2.3.1 Search vendor "Rubyonrails" for product "Rails" and version " < 7.2.3.1"		-		Affected
Rubyonrails Search vendor "Rubyonrails"		Rails Search vendor "Rubyonrails" for product "Rails"				>= 8.0.0 < 8.0.4.1 Search vendor "Rubyonrails" for product "Rails" and version " >= 8.0.0 < 8.0.4.1"		-		Affected
Rubyonrails Search vendor "Rubyonrails"		Rails Search vendor "Rubyonrails" for product "Rails"				>= 8.1.0 < 8.1.2.1 Search vendor "Rubyonrails" for product "Rails" and version " >= 8.1.0 < 8.1.2.1"		-		Affected