2450546 – (CVE-2026-33195) CVE-2026-33195 Rails: Active Storage: Active Storage (Rails): Arbitrary file access via path traversal in blob keys

Bug 2450546 (CVE-2026-33195) - CVE-2026-33195 Rails: Active Storage: Active Storage (Rails): Arbitrary file access via path traversal in blob keys

Summary: CVE-2026-33195 Rails: Active Storage: Active Storage (Rails): Arbitrary file ...

Keywords:
Status:	NEW
Alias:	CVE-2026-33195
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-03-24 00:02 UTC by OSIDB Bzimport
Modified:	2026-03-24 11:01 UTC (History)
CC List:	10 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-03-24 00:02:14 UTC

Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, Active Storage's `DiskService#path_for` does not validate that the resolved filesystem path remains within the storage root directory. If a blob key containing path traversal sequences (e.g. `../`) is used, it could allow reading, writing, or deleting arbitrary files on the server. Blob keys are expected to be trusted strings, but some applications could be passing user input as keys and would be affected. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.

Note You need to log in before you can comment on or make changes to this bug.