Vulnerability in Rails Activestorage

CVE-2026-33173

Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, `DirectUploadsController` accepts arbitrary metadata from the client and persists it on the blob. Because i…

EPSS: 0.000 (3.4th percentile) — read the EPSS interpretation.

Affected products

Rails Activestorage — versions >= 8.1.0.beta1, < 8.1.2.1, >= 8.0.0.beta1, < 8.0.4.1, < 7.2.3.1

Weakness classification (CWE)

CWE-925

References

https://github.com/rails/rails/security/advisories/GHSA-qcfx-2mfw-w4cg (x_refsource_CONFIRM)
https://github.com/rails/rails/commit/707c0f1f41f067fdf96d54e99d43b28dfaae7e53 (x_refsource_MISC)
https://github.com/rails/rails/commit/8fcb934caadc79c8cc4ce53287046d0f67005b3e (x_refsource_MISC)
https://github.com/rails/rails/commit/d9502f5214e2198245a4c1defe9cd02a7c8057d0 (x_refsource_MISC)
https://github.com/rails/rails/releases/tag/v7.2.3.1 (x_refsource_MISC)
https://github.com/rails/rails/releases/tag/v8.0.4.1 (x_refsource_MISC)
https://github.com/rails/rails/releases/tag/v8.1.2.1 (x_refsource_MISC)