Moderate severityNVD Advisory· Published Mar 23, 2026· Updated Mar 24, 2026
Rails Active Storage has possible glob injection in its DiskService
CVE-2026-33202
Description
Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, Active Storage's DiskService#delete_prefixed passes blob keys directly to Dir.glob without escaping glob metacharacters. If a blob key contains attacker-controlled input or custom-generated keys with glob metacharacters, it may be possible to delete unintended files from the storage directory. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
activestorageRubyGems | >= 8.1.0.beta1, < 8.1.2.1 | 8.1.2.1 |
activestorageRubyGems | >= 8.0.0.beta1, < 8.0.4.1 | 8.0.4.1 |
activestorageRubyGems | < 7.2.3.1 | 7.2.3.1 |
Affected products
9- osv-coords8 versionspkg:apk/chainguard/gitlab-rails-ce-18.10pkg:apk/chainguard/gitlab-rails-ce-fips-18.10pkg:apk/chainguard/gitlab-rails-ce-fips-18.9pkg:apk/chainguard/ruby3.2-rails-8.1pkg:apk/chainguard/ruby3.4-rails-8.0pkg:apk/wolfi/ruby3.2-rails-8.1pkg:apk/wolfi/ruby3.4-rails-8.0pkg:gem/activestorage
< 18.10.3-r1+ 7 more
- (no CPE)range: < 18.10.3-r1
- (no CPE)range: < 18.10.3-r0
- (no CPE)range: < 18.9.5-r0
- (no CPE)range: < 8.1.3-r0
- (no CPE)range: < 8.0.5-r0
- (no CPE)range: < 8.1.3-r0
- (no CPE)range: < 8.0.5-r0
- (no CPE)range: >= 8.1.0.beta1, < 8.1.2.1
- Range: >= 8.1.0.beta1, < 8.1.2.1
Patches
Vulnerability mechanics
References
10- github.com/advisories/GHSA-73f9-jhhh-hr5mghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-33202ghsaADVISORY
- github.com/rails/rails/commit/8c9676b803820110548cdb7523800db43bc6874cghsax_refsource_MISCWEB
- github.com/rails/rails/commit/955284d26e469a9c026a4eee5b21f0414ab0bccfghsax_refsource_MISCWEB
- github.com/rails/rails/commit/fa19073546360856e9f4dab221fc2c5d73a45e82ghsax_refsource_MISCWEB
- github.com/rails/rails/releases/tag/v7.2.3.1ghsax_refsource_MISCWEB
- github.com/rails/rails/releases/tag/v8.0.4.1ghsax_refsource_MISCWEB
- github.com/rails/rails/releases/tag/v8.1.2.1ghsax_refsource_MISCWEB
- github.com/rails/rails/security/advisories/GHSA-73f9-jhhh-hr5mghsax_refsource_CONFIRMWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/activestorage/CVE-2026-33202.ymlghsaWEB
News mentions
0No linked articles in our index yet.