[CVE-2026-33173] Insufficient filtering of metadata in Active Storage direct uploads

jhawthorn · March 23, 2026, 9:25pm

Impact

Active Storage’s DirectUploadsController accepts arbitrary metadata from the client and persists it on the blob. Because internal flags like identified and analyzed are stored in the same metadata hash, a malicious direct-upload client could set these flags.

Releases

The fixed releases are available at the normal locations.

CVE-2026-33173
GHSA-qcfx-2mfw-w4cg

Versions affected

activestorage >= 8.1, < 8.1.2.1 (patched in 8.1.2.1)
activestorage >= 8.0, < 8.0.4.1 (patched in 8.0.4.1)
activestorage < 7.2.3.1 (patched in 7.2.3.1)

Topic		Replies	Views
Pass identified as true in metadata while creating blob via direct upload rubyonrails-core activestorage	0	312	March 7, 2024
[CVE-2026-33202] Possible glob injection in Active Storage DiskService Security Announcements announcement , security	0	250	March 23, 2026
[CVE-2026-33195] Possible path traversal in Active Storage DiskService Security Announcements announcement , security	0	250	March 23, 2026
[CVE-2022-21831] Possible code injection vulnerability in Rails / Active Storage Security Announcements	0	10630	March 8, 2022
ActiveStorage Direct Uploads Safe by Default/How to make it safe? rubyonrails-talk	8	3112	March 28, 2023

[CVE-2026-33173] Insufficient filtering of metadata in Active Storage direct uploads

Impact

Releases

Versions affected

Patches

More Resources

[CVE-2026-33173] Insufficient filtering of metadata in Active Storage direct uploads

Impact

Releases

Versions affected

Patches

Related topics

More Resources