[CVE-2026-33195] Possible path traversal in Active Storage DiskService

jhawthorn · March 23, 2026, 9:25pm

Impact

Active Storage’s DiskService#path_for does not validate that the resolved filesystem path remains within the storage root directory. If a blob key containing path traversal sequences (e.g. ../) is used, it could allow reading, writing, or deleting arbitrary files on the server. Blob keys are expected to be trusted strings, but some applications could be passing user input as keys and would be affected.

Releases

The fixed releases are available at the normal locations.

CVE-2026-33195
GHSA-9xrj-h377-fr87

Versions affected

activestorage >= 8.1, < 8.1.2.1 (patched in 8.1.2.1)
activestorage >= 8.0, < 8.0.4.1 (patched in 8.0.4.1)
activestorage < 7.2.3.1 (patched in 7.2.3.1)

Topic	Replies	Views
[CVE-2026-33202] Possible glob injection in Active Storage DiskService Security Announcements announcement , security	226	March 23, 2026
[ActiveStorage] Feature config.active_storage.mount_path rubyonrails-core	207	March 13, 2018
[CVE-2026-33174] Possible DoS vulnerability in Active Storage proxy mode via Range requests Security Announcements announcement , security	207	March 23, 2026
[CVE-2026-33173] Insufficient filtering of metadata in Active Storage direct uploads Security Announcements announcement , security	216	March 23, 2026
[CVE-2022-21831] Possible code injection vulnerability in Rails / Active Storage Security Announcements	10629	March 8, 2022

[CVE-2026-33195] Possible path traversal in Active Storage DiskService

Impact

Releases

Versions affected

Patches

More Resources

[CVE-2026-33195] Possible path traversal in Active Storage DiskService

Impact

Releases

Versions affected

Patches

Related topics

More Resources