Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2026-33173

Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, `DirectUploadsController` accepts arbitrary metadata from the client and persists it on the blob. Because internal flags like `identified` and `analyzed` are stored in the same metadata hash, a direct-upload client can set these flags to skip MIME detection and analysis. This allows an attacker to upload arbitrary content while claiming a safe `content_type`, bypassing any validations that rely on Active Storage's automatic content type identification. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.

Security Impact Summary

This vulnerability carries a MEDIUM severity rating with a CVSS v3.1 score of 5.3, indicating it can be exploited remotely over the network with relatively low complexity without requiring user interaction and does not require pre-existing privileges . The vulnerability impacts limited integrity, for affected systems. Impacting 1 product from rubyonrails organizations running these solutions should prioritize assessment and patching.

Historical Context

Reported in 2026, this vulnerability emerged during an era marked by increased sophistication in supply chain attacks, cloud infrastructure vulnerabilities, and software-as-a-service (SaaS) security challenges. Security practices during this period emphasized zero-trust architectures, container security, and API protection.

Published

2026-03-24T00:16:28.457

Last Modified

2026-03-24T17:56:09.113

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 5.3 (MEDIUM)

Weaknesses

Type: Primary
CWE-925

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	rubyonrails	rails	< 7.2.3.1	Yes
Application	rubyonrails	rails	< 8.0.4.1	Yes
Application	rubyonrails	rails	< 8.1.2.1	Yes

References

https://github.com/rails/rails/commit/707c0f1f41f067fdf96d54e99d43b28dfaae7e53 Patch ([email protected])
https://github.com/rails/rails/commit/8fcb934caadc79c8cc4ce53287046d0f67005b3e Patch ([email protected])
https://github.com/rails/rails/commit/d9502f5214e2198245a4c1defe9cd02a7c8057d0 Patch ([email protected])
https://github.com/rails/rails/releases/tag/v7.2.3.1 Release Notes ([email protected])
https://github.com/rails/rails/releases/tag/v8.0.4.1 Release Notes ([email protected])
https://github.com/rails/rails/releases/tag/v8.1.2.1 Release Notes ([email protected])
https://github.com/rails/rails/security/advisories/GHSA-qcfx-2mfw-w4cg Vendor Advisory ([email protected])

How SecUtils Interprets This CVE

SecUtils normalizes and enriches National Vulnerability Database (NVD) records by standardizing vendor and product identifiers, aggregating vulnerability metadata from both NVD and MITRE sources, and providing structured context for security teams. For rubyonrails's affected products, we extract Common Platform Enumeration (CPE) data, Common Weakness Enumeration (CWE) classifications, CVSS severity metrics, and reference data to enable rapid vulnerability prioritization and asset correlation. This record contains no exploit code, proof-of-concept instructions, or attack methodologies—only defensive intelligence necessary for patch management, risk assessment, and security operations.