Path Traversal in Rails Activestorage

CVE-2026-33195

Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, Active Storage's `DiskService#path_for` does not validate that the resolved filesystem path remains within…

Vulnerability class: Path Traversal (Directory Traversal)

EPSS: 0.000 (11.5th percentile) — read the EPSS interpretation.

Affected products

Rails Activestorage — versions >= 8.1.0.beta1, < 8.1.2.1, >= 8.0.0.beta1, < 8.0.4.1, < 7.2.3.1

Weakness classification (CWE)

CWE-22 — Path Traversal

References

https://github.com/rails/rails/security/advisories/GHSA-9xrj-h377-fr87 (x_refsource_CONFIRM)
https://github.com/rails/rails/commit/4933c1e3b8c1bb04925d60347be9f69270392f2c (x_refsource_MISC)
https://github.com/rails/rails/commit/9b06fbc0f504b8afe333f33d19548f3b85fbe655 (x_refsource_MISC)
https://github.com/rails/rails/commit/a290c8a1ec189d793aa6d7f2570b6a763f675348 (x_refsource_MISC)
https://github.com/rails/rails/releases/tag/v7.2.3.1 (x_refsource_MISC)
https://github.com/rails/rails/releases/tag/v8.0.4.1 (x_refsource_MISC)
https://github.com/rails/rails/releases/tag/v8.1.2.1 (x_refsource_MISC)