CVE-2026-33173

Summary

Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, DirectUploadsController accepts arbitrary metadata from the client and persists it on the blob. Because internal flags like identified and analyzed are stored in the same metadata hash, a direct-upload client can set these flags to skip MIME detection and analysis. This allows an attacker to upload arbitrary content while claiming a safe content_type, bypassing any validations that rely on Active Storage's automatic content type identification. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.

Affected Software

VendorProductVersion RangeStatus
railsactivestorage>= 8.1.0.beta1, < 8.1.2.1affected
railsactivestorage>= 8.0.0.beta1, < 8.0.4.1affected
railsactivestorage< 7.2.3.1affected

Weaknesses

  • CWE-925: CWE-925: Improper Verification of Intent by Broadcast Receiver

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References