VYPR
Moderate severityNVD Advisory· Published Mar 23, 2026· Updated Mar 24, 2026

Rails Active Storage has possible content type bypass via metadata in direct uploads

CVE-2026-33173

Description

Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, DirectUploadsController accepts arbitrary metadata from the client and persists it on the blob. Because internal flags like identified and analyzed are stored in the same metadata hash, a direct-upload client can set these flags to skip MIME detection and analysis. This allows an attacker to upload arbitrary content while claiming a safe content_type, bypassing any validations that rely on Active Storage's automatic content type identification. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
activestorageRubyGems
>= 8.1.0.beta1, < 8.1.2.18.1.2.1
activestorageRubyGems
>= 8.0.0.beta1, < 8.0.4.18.0.4.1
activestorageRubyGems
< 7.2.3.17.2.3.1

Affected products

8

Patches

Vulnerability mechanics

References

10

News mentions

0

No linked articles in our index yet.