Vulnerability in Rails Activestorage

CVE-2026-33202

Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, Active Storage's `DiskService#delete_prefixed` passes blob keys directly to `Dir.glob` without escaping glo…

EPSS: 0.000 (8.8th percentile) — read the EPSS interpretation.

Affected products

Rails Activestorage — versions >= 8.1.0.beta1, < 8.1.2.1, >= 8.0.0.beta1, < 8.0.4.1, < 7.2.3.1

Weakness classification (CWE)

CWE-74 — Improper Neutralization of Special Elements in Output Used by a Downstream Component (Injection)

References

https://github.com/rails/rails/security/advisories/GHSA-73f9-jhhh-hr5m (x_refsource_CONFIRM)
https://github.com/rails/rails/commit/8c9676b803820110548cdb7523800db43bc6874c (x_refsource_MISC)
https://github.com/rails/rails/commit/955284d26e469a9c026a4eee5b21f0414ab0bccf (x_refsource_MISC)
https://github.com/rails/rails/commit/fa19073546360856e9f4dab221fc2c5d73a45e82 (x_refsource_MISC)
https://github.com/rails/rails/releases/tag/v7.2.3.1 (x_refsource_MISC)
https://github.com/rails/rails/releases/tag/v8.0.4.1 (x_refsource_MISC)
https://github.com/rails/rails/releases/tag/v8.1.2.1 (x_refsource_MISC)