CVE-2026-33173
CVE-2026-33173 is a medium-severity vulnerability in Rubyonrails Rails with a CVSS 3.x base score of 5.3. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-925.
Key facts
- Severity: Medium (CVSS 3.x base score 5.3)
- CVSS v4: 5.3
- EPSS exploit prediction: 0% (31st percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2026-14626
- Weakness: CWE-925
- Affected product: Rubyonrails Rails
- Published:
- Last modified:
Description
Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, `DirectUploadsController` accepts arbitrary metadata from the client and persists it on the blob. Because internal flags like `identified` and `analyzed` are stored in the same metadata hash, a direct-upload client can set these flags to skip MIME detection and analysis. This allows an attacker to upload arbitrary content while claiming a safe `content_type`, bypassing any validations that rely on Active Storage's automatic content type identification. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.
Frequently asked questions
- What is CVE-2026-33173?
- Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, `DirectUploadsController` accepts arbitrary metadata from the client and persists it on the blob. Because internal flags like `identified` and `analyzed` are stored in the same metadata hash, a direct-upload client can set these flags to skip MIME detection and analysis. This allows an attacker to upload arbitrary content while claiming a safe `content_type`, bypassing any validations that rely on Active Storage's automatic content type identification. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.
- How severe is CVE-2026-33173?
- CVE-2026-33173 has a CVSS 3.x base score of 5.3, rated medium severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is none, integrity low, and availability none.
- Is CVE-2026-33173 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (31st percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2026-33173?
- CVE-2026-33173 affects Rubyonrails Rails. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2026-33173?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- Does CVE-2026-33173 have an EU (EUVD) identifier?
- Yes. CVE-2026-33173 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-14626.
- When was CVE-2026-33173 published?
- CVE-2026-33173 was published on 2026-03-24 and last updated on 2026-06-17.
References
- https://github.com/rails/rails/commit/707c0f1f41f067fdf96d54e99d43b28dfaae7e53
- https://github.com/rails/rails/commit/8fcb934caadc79c8cc4ce53287046d0f67005b3e
- https://github.com/rails/rails/commit/d9502f5214e2198245a4c1defe9cd02a7c8057d0
- https://github.com/rails/rails/releases/tag/v7.2.3.1
- https://github.com/rails/rails/releases/tag/v8.0.4.1
- https://github.com/rails/rails/releases/tag/v8.1.2.1
- https://github.com/rails/rails/security/advisories/GHSA-qcfx-2mfw-w4cg
Affected products (1)
- cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*
More vulnerabilities in Rubyonrails Rails
- CVE-2013-0277 — Critical (CVSS 10.0): ActiveRecord in Ruby on Rails before 2.3.17 and 3.x before 3.1.0 allows remote attackers to cause a denial of service…
- CVE-2026-33195 — Critical (CVSS 9.8): Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1,…
- CVE-2020-8165 — Critical (CVSS 9.8): A deserialization of untrusted data vulnernerability exists in rails < 5.2.4.3, rails < 6.0.3.1 that can allow an…
- CVE-2019-5420 — Critical (CVSS 9.8): A remote code execution vulnerability in development mode Rails <5.2.2.1, <6.0.0.beta3 can allow an attacker to guess…
- CVE-2026-33202 — Critical (CVSS 9.1): Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1,…
- CVE-2020-8163 — High (CVSS 8.8): The is a code injection vulnerability in versions of Rails prior to 5.0.1 that wouldallow an attacker who controlled…
All CVEs affecting Rubyonrails Rails →
Other CWE-925 vulnerabilities
- CVE-2024-10576 — Critical (CVSS 9.4): Infinix devices contain a pre-loaded "com.transsion.agingfunction" application, that exposes an unsecured broadcast…
- CVE-2023-44126 — Low (CVSS 3.6): The vulnerability is that the Call management ("com.android.server.telecom") app patched by LG sends a lot of LG-owned…