What is CVE-2026-33658?

CVE-2026-33658 is a medium-severity vulnerability in Rails Activestorage, classified under Allocation of Resources Without Limits or Throttling. CVSS score: 6.5/10. Published 2026-03-26.

How severe is CVE-2026-33658?

Medium severity. CVSS v3 base score is 6.5 out of 10.

Resource exhaustion in Rails Activestorage

CVE-2026-33658

Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 Active Storage's proxy controller does not limit the number of byte ranges in an HTTP Range header. A reques…

EPSS: 0.000 (6.9th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 6.5 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H.

Affected products

Rails Activestorage — versions >= 8.1.0, < 8.1.2.1, >= 8.0.0, < 8.0.4.1, < 7.2.3.1
Rubyonrails Rails

Weakness classification (CWE)

CWE-770 — Allocation of Resources Without Limits or Throttling

References

https://github.com/rails/rails/security/advisories/GHSA-p9fm-f462-ggrg (x_refsource_CONFIRM, Vendor Advisory)
https://github.com/rails/rails/releases/tag/v7.2.3.1 (Product, x_refsource_MISC, Release Notes)
https://github.com/rails/rails/releases/tag/v8.0.4.1 (Product, x_refsource_MISC, Release Notes)
https://github.com/rails/rails/releases/tag/v8.1.2.1 (Product, x_refsource_MISC, Release Notes)
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activestorage/CVE-2026-33658.yml (x_refsource_MISC, Third Party Advisory)

Frequently asked questions

What is CVE-2026-33658?: CVE-2026-33658 is a medium-severity vulnerability in Rails Activestorage, classified under Allocation of Resources Without Limits or Throttling. CVSS score: 6.5/10. Published 2026-03-26.
How severe is CVE-2026-33658?: Medium severity. CVSS v3 base score is 6.5 out of 10.