[CVE-2026-33202] Possible glob injection in Active Storage DiskService

jhawthorn · March 23, 2026, 9:25pm

Impact

Active Storage’s DiskService#delete_prefixed passes blob keys directly to Dir.glob without escaping glob metacharacters. If a blob key contains attacker-controlled input or custom-generated keys with glob metacharacters, it may be possible to delete unintended files from the storage directory.

Releases

The fixed releases are available at the normal locations.

CVE-2026-33202
GHSA-73f9-jhhh-hr5m

Versions affected

activestorage >= 8.1, < 8.1.2.1 (patched in 8.1.2.1)
activestorage >= 8.0, < 8.0.4.1 (patched in 8.0.4.1)
activestorage < 7.2.3.1 (patched in 7.2.3.1)

Topic		Replies	Views
[CVE-2026-33195] Possible path traversal in Active Storage DiskService Security Announcements announcement , security	0	35	March 23, 2026
[CVE-2026-33173] Insufficient filtering of metadata in Active Storage direct uploads Security Announcements announcement , security	0	36	March 23, 2026
[CVE-2022-21831] Possible code injection vulnerability in Rails / Active Storage Security Announcements	0	10628	March 8, 2022
[CVE-2026-33174] Possible DoS vulnerability in Active Storage proxy mode via Range requests Security Announcements announcement , security	0	33	March 23, 2026
Active Storage set blob key on direct upload (changelog) rubyonrails-talk activestorage	4	2722	March 22, 2023

[CVE-2026-33202] Possible glob injection in Active Storage DiskService

Impact

Releases

Versions affected

Patches

More Resources

[CVE-2026-33202] Possible glob injection in Active Storage DiskService

Impact

Releases

Versions affected

Patches

Related topics

More Resources