CVE-2026-33173

low-risk

Published 2026-03-24

Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, `DirectUploadsController` accepts arbitrary metadata from the client and persists it on the blob. Because internal flags like `identified` and `analyzed` are stored in the same metadata hash, a direct-upload client can set these flags to skip MIME detection and analysis. This allows an attacker to upload arbitrary content while claiming a safe `content_type`, bypassing any validations that rely on Active Storage's automatic content type identification. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.

Do I need to act?

0.01% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 5.3/10 Medium

NETWORK / LOW complexity

Affected Products (1)

Rails

Affected Vendors

Rubyonrails

References (7)

Patch https://github.com/rails/rails/commit/707c0f1f41f067fdf96d54e99d43b28dfaae7e53

Patch https://github.com/rails/rails/commit/8fcb934caadc79c8cc4ce53287046d0f67005b3e

Patch https://github.com/rails/rails/commit/d9502f5214e2198245a4c1defe9cd02a7c8057d0

Release Notes https://github.com/rails/rails/releases/tag/v7.2.3.1

Release Notes https://github.com/rails/rails/releases/tag/v8.0.4.1

Release Notes https://github.com/rails/rails/releases/tag/v8.1.2.1

Vendor Advisory https://github.com/rails/rails/security/advisories/GHSA-qcfx-2mfw-w4cg

/ 100

low-risk

Severity 21/34 · High

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal