CVE-2023-50448
Description
In ActiveAdmin (aka Active Admin) before 2.12.0, a concurrency issue allows a malicious actor to access potentially private data (that belongs to another user) by making CSV export requests at certain specific times.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
ActiveAdmin before 2.12.0 has a concurrency issue in CSV export that may expose another user's private data when requests are timed maliciously.
Vulnerability
ActiveAdmin prior to version 2.12.0 contains a concurrency issue in its CSV export functionality ([2]). The race condition allows a malicious actor to access potentially private data belonging to other users by timing CSV export requests ([1], [2]).
Exploitation
An attacker must send CSV export requests at specific times to exploit the race condition. The exact prerequisites are not detailed, but it likely requires authenticated access to the ActiveAdmin interface since CSV exports are typically restricted to logged-in administrators ([1], [2]).
Impact
If successful, the attacker can view confidential data from other users, such as personal information, financial records, or other sensitive resources managed via ActiveAdmin ([2], [3]). This could lead to data breaches and privacy violations.
Mitigation
The vulnerability is fixed in ActiveAdmin version 2.12.0 ([1], [3]). Users are advised to upgrade immediately. The fix, introduced in pull request #7336 ([1]), eliminates the concurrency issue by avoiding duplicate work during CSV downloads. No workarounds are documented.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
activeadminRubyGems | < 2.12.0 | 2.12.0 |
Affected products
2- ActiveAdmin/Active Admindescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-356j-hg45-x525ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-50448ghsaADVISORY
- github.com/activeadmin/activeadmin/pull/7336ghsaWEB
- github.com/activeadmin/activeadmin/security/advisories/GHSA-356j-hg45-x525ghsaWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/activeadmin/CVE-2023-50448.ymlghsaWEB
News mentions
0No linked articles in our index yet.