Vulnerability in Rails Activestorage

CVE-2026-33174

Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, when serving files through Active Storage's proxy delivery mode, the proxy controller loads the entire requ…

EPSS: 0.000 (7.1th percentile) — read the EPSS interpretation.

Affected products

Rails Activestorage — versions >= 8.1.0.beta1, < 8.1.2.1, >= 8.0.0.beta1, < 8.0.4.1, < 7.2.3.1

Weakness classification (CWE)

CWE-789

References

https://github.com/rails/rails/security/advisories/GHSA-r46p-8f7g-vvvg (x_refsource_CONFIRM)
https://github.com/rails/rails/commit/2cd933c366b777f873d4d590127da2f4a25e4ba5 (x_refsource_MISC)
https://github.com/rails/rails/commit/42012eaaa88dfc7d0030161b2bc8074a7bbce92a (x_refsource_MISC)
https://github.com/rails/rails/commit/8159a9c3de3f27a2bcf2866b8bf9ceb9075e229b (x_refsource_MISC)
https://github.com/rails/rails/releases/tag/v7.2.3.1 (x_refsource_MISC)
https://github.com/rails/rails/releases/tag/v8.0.4.1 (x_refsource_MISC)
https://github.com/rails/rails/releases/tag/v8.1.2.1 (x_refsource_MISC)