CVE-2026-33195: Rails Active Storage has possible Path Traversal in DiskService
Active Storage’s DiskService#path_for does not validate that the resolved filesystem path remains within the storage root directory. If a blob key containing path traversal sequences (e.g. ../) is used, it could allow reading, writing, or deleting arbitrary files on the server. Blob keys are expected to be trusted strings, but some applications could be passing user input as keys and would be affected.
References
- github.com/advisories/GHSA-9xrj-h377-fr87
- github.com/rails/rails
- github.com/rails/rails/commit/4933c1e3b8c1bb04925d60347be9f69270392f2c
- github.com/rails/rails/commit/9b06fbc0f504b8afe333f33d19548f3b85fbe655
- github.com/rails/rails/commit/a290c8a1ec189d793aa6d7f2570b6a763f675348
- github.com/rails/rails/releases/tag/v7.2.3.1
- github.com/rails/rails/releases/tag/v8.0.4.1
- github.com/rails/rails/releases/tag/v8.1.2.1
- github.com/rails/rails/security/advisories/GHSA-9xrj-h377-fr87
- nvd.nist.gov/vuln/detail/CVE-2026-33195
Code Behaviors & Features
Detect and mitigate CVE-2026-33195 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →