{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33202", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T23:23:58.312Z", "datePublished": "2026-03-23T23:34:52.715Z", "dateUpdated": "2026-03-24T15:44:19.018Z"}, "containers": {"cna": {"title": "Rails Active Storage has possible glob injection in its DiskService", "problemTypes": [{"descriptions": [{"cweId": "CWE-74", "lang": "en", "description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 6.6, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U", "version": "4.0"}}], "references": [{"name": "https://github.com/rails/rails/security/advisories/GHSA-73f9-jhhh-hr5m", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/rails/rails/security/advisories/GHSA-73f9-jhhh-hr5m"}, {"name": "https://github.com/rails/rails/commit/8c9676b803820110548cdb7523800db43bc6874c", "tags": ["x_refsource_MISC"], "url": "https://github.com/rails/rails/commit/8c9676b803820110548cdb7523800db43bc6874c"}, {"name": "https://github.com/rails/rails/commit/955284d26e469a9c026a4eee5b21f0414ab0bccf", "tags": ["x_refsource_MISC"], "url": "https://github.com/rails/rails/commit/955284d26e469a9c026a4eee5b21f0414ab0bccf"}, {"name": "https://github.com/rails/rails/commit/fa19073546360856e9f4dab221fc2c5d73a45e82", "tags": ["x_refsource_MISC"], "url": "https://github.com/rails/rails/commit/fa19073546360856e9f4dab221fc2c5d73a45e82"}, {"name": "https://github.com/rails/rails/releases/tag/v7.2.3.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/rails/rails/releases/tag/v7.2.3.1"}, {"name": "https://github.com/rails/rails/releases/tag/v8.0.4.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/rails/rails/releases/tag/v8.0.4.1"}, {"name": "https://github.com/rails/rails/releases/tag/v8.1.2.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/rails/rails/releases/tag/v8.1.2.1"}], "affected": [{"vendor": "rails", "product": "activestorage", "versions": [{"version": ">= 8.1.0.beta1, < 8.1.2.1", "status": "affected"}, {"version": ">= 8.0.0.beta1, < 8.0.4.1", "status": "affected"}, {"version": "< 7.2.3.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-23T23:34:52.715Z"}, "descriptions": [{"lang": "en", "value": "Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, Active Storage's `DiskService#delete_prefixed` passes blob keys directly to `Dir.glob` without escaping glob metacharacters. If a blob key contains attacker-controlled input or custom-generated keys with glob metacharacters, it may be possible to delete unintended files from the storage directory. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch."}], "source": {"advisory": "GHSA-73f9-jhhh-hr5m", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-24T15:42:33.496549Z", "id": "CVE-2026-33202", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T15:44:19.018Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33202", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-24T15:42:33.496549Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T15:44:10.144Z"}}], "cna": {"title": "Rails Active Storage has possible glob injection in its DiskService", "source": {"advisory": "GHSA-73f9-jhhh-hr5m", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.6, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "rails", "product": "activestorage", "versions": [{"status": "affected", "version": ">= 8.1.0.beta1, < 8.1.2.1"}, {"status": "affected", "version": ">= 8.0.0.beta1, < 8.0.4.1"}, {"status": "affected", "version": "< 7.2.3.1"}]}], "references": [{"url": "https://github.com/rails/rails/security/advisories/GHSA-73f9-jhhh-hr5m", "name": "https://github.com/rails/rails/security/advisories/GHSA-73f9-jhhh-hr5m", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/rails/rails/commit/8c9676b803820110548cdb7523800db43bc6874c", "name": "https://github.com/rails/rails/commit/8c9676b803820110548cdb7523800db43bc6874c", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/rails/rails/commit/955284d26e469a9c026a4eee5b21f0414ab0bccf", "name": "https://github.com/rails/rails/commit/955284d26e469a9c026a4eee5b21f0414ab0bccf", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/rails/rails/commit/fa19073546360856e9f4dab221fc2c5d73a45e82", "name": "https://github.com/rails/rails/commit/fa19073546360856e9f4dab221fc2c5d73a45e82", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/rails/rails/releases/tag/v7.2.3.1", "name": "https://github.com/rails/rails/releases/tag/v7.2.3.1", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/rails/rails/releases/tag/v8.0.4.1", "name": "https://github.com/rails/rails/releases/tag/v8.0.4.1", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/rails/rails/releases/tag/v8.1.2.1", "name": "https://github.com/rails/rails/releases/tag/v8.1.2.1", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, Active Storage's `DiskService#delete_prefixed` passes blob keys directly to `Dir.glob` without escaping glob metacharacters. If a blob key contains attacker-controlled input or custom-generated keys with glob metacharacters, it may be possible to delete unintended files from the storage directory. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-74", "description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-23T23:34:52.715Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33202", "state": "PUBLISHED", "dateUpdated": "2026-03-24T15:44:19.018Z", "dateReserved": "2026-03-17T23:23:58.312Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-23T23:34:52.715Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*", "matchCriteriaId": "D9DC6CB9-DC6C-4CBB-9806-3936ADBC8F1B", "versionEndExcluding": "7.2.3.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*", "matchCriteriaId": "FA8791E1-8B96-43F6-A3EC-A7E60D700330", "versionEndExcluding": "8.0.4.1", "versionStartIncluding": "8.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*", "matchCriteriaId": "978E0135-D14B-41DE-87E4-CF059A23E189", "versionEndExcluding": "8.1.2.1", "versionStartIncluding": "8.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, Active Storage's `DiskService#delete_prefixed` passes blob keys directly to `Dir.glob` without escaping glob metacharacters. If a blob key contains attacker-controlled input or custom-generated keys with glob metacharacters, it may be possible to delete unintended files from the storage directory. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch."}, {"lang": "es", "value": "Active Storage permite a los usuarios adjuntar archivos locales y en la nube en aplicaciones Rails. Antes de las versiones 8.1.2.1, 8.0.4.1 y 7.2.3.1, el 'DiskService#delete_prefixed' de Active Storage pasa las claves de blob directamente a 'Dir.glob' sin escapar los metacaracteres glob. Si una clave de blob contiene entrada controlada por el atacante o claves generadas a medida con metacaracteres glob, puede ser posible eliminar archivos no deseados del directorio de almacenamiento. Las versiones 8.1.2.1, 8.0.4.1 y 7.2.3.1 contienen un parche."}], "id": "CVE-2026-33202", "lastModified": "2026-03-24T17:55:12.260", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.6, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "UNREPORTED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-24T00:16:29.157", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/rails/rails/commit/8c9676b803820110548cdb7523800db43bc6874c"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/rails/rails/commit/955284d26e469a9c026a4eee5b21f0414ab0bccf"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/rails/rails/commit/fa19073546360856e9f4dab221fc2c5d73a45e82"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/rails/rails/releases/tag/v7.2.3.1"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/rails/rails/releases/tag/v8.0.4.1"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/rails/rails/releases/tag/v8.1.2.1"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/rails/rails/security/advisories/GHSA-73f9-jhhh-hr5m"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "rails: Active Storage: Unintended file deletion via crafted blob keys", "id": "2450547", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2450547"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "status": "draft"}, "cwe": "CWE-22", "details": ["A flaw was found in Active Storage, a component of Rails applications. This vulnerability occurs because Active Storage's `DiskService#delete_prefixed` function does not properly escape glob metacharacters when processing blob keys. A remote attacker could exploit this by providing a specially crafted blob key, potentially leading to the deletion of unintended files from the storage directory. This could result in a data loss."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2026-33202", "package_state": [{"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Fix deferred", "package_name": "3scale-amp20/system", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Fix deferred", "package_name": "3scale-amp21/system", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Fix deferred", "package_name": "3scale-amp21/zync", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Fix deferred", "package_name": "3scale-amp22/system", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Fix deferred", "package_name": "3scale-amp22/zync", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Fix deferred", "package_name": "3scale-amp24/system", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Fix deferred", "package_name": "3scale-amp24/zync", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Fix deferred", "package_name": "3scale-amp25/system", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Fix deferred", "package_name": "3scale-amp25/zync", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Fix deferred", "package_name": "3scale-amp26/system", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Fix deferred", "package_name": "3scale-amp26/zync", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Fix deferred", "package_name": "3scale-amp2/system-rhel7", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Fix deferred", "package_name": "3scale-amp2/system-rhel8", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Fix deferred", "package_name": "3scale-amp2/system-rhel9", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Fix deferred", "package_name": "3scale-amp2/zync-rhel7", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Fix deferred", "package_name": "3scale-amp2/zync-rhel8", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Fix deferred", "package_name": "3scale-amp2/zync-rhel9", "product_name": "Red Hat 3scale API Management Platform 2"}], "public_date": "2026-03-23T23:34:52Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-33202\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-33202\nhttps://github.com/rails/rails/commit/8c9676b803820110548cdb7523800db43bc6874c\nhttps://github.com/rails/rails/commit/955284d26e469a9c026a4eee5b21f0414ab0bccf\nhttps://github.com/rails/rails/commit/fa19073546360856e9f4dab221fc2c5d73a45e82\nhttps://github.com/rails/rails/releases/tag/v7.2.3.1\nhttps://github.com/rails/rails/releases/tag/v8.0.4.1\nhttps://github.com/rails/rails/releases/tag/v8.1.2.1\nhttps://github.com/rails/rails/security/advisories/GHSA-73f9-jhhh-hr5m"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[8.1.0.beta1,8.1.2.1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[8.0.0.beta1,8.0.4.1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,7.2.3.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "activestorage", "source": "cna", "vendor": "rails"}, "product": "activestorage", "vendor": "rails"}], "analysis": {"en": {"generated_at": "2026-03-24T20:06:31.799427+00:00", "value": {"mitigation_remediation": ["Update Rails to version 7.2.3.1, 8.0.4.1, or 8.1.2.1 (or later) to apply the official patch."], "summary": {"action": "Apply Patch", "impact": "File Deletion"}, "threat_synthesis": {"affected_systems": "The vulnerability affects Ruby on Rails\u2019 Active Storage component in all releases before Rails 7.2.3.1, 8.0.4.1, and 8.1.2.1. Affected installations include any Rails application that uses the unpatched DiskService for local file storage, regardless of deployment environment.", "description_and_impact": "Active Storage allows Rails applications to attach cloud and local files. In versions earlier than 7.2.3.1, 8.0.4.1, and 8.1.2.1, the DiskService#delete_prefixed method passed blob keys directly to Dir.glob without escaping glob metacharacters. If a blob key contains attacker\u2011controlled or specially crafted glob characters, the method may delete unintended files from the storage directory. This results in loss of data and can disrupt application availability, representing a moderate-severity vulnerability (CWE\u201122 and CWE\u201174).", "risk_and_exploitability": "The CVSS score of 6.6 indicates moderate severity. EPSS is below 1\u202f%, suggesting a low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. An attacker would need access to the application\u2019s API or upload functionality to supply a malicious blob key, implying a remote or locally authenticated attack vector depending on exposure. If successful, the attacker could delete arbitrary files within the storage directory, compromising data integrity and potentially isolating application functionality."}}}}, "created": "2026-03-24T10:29:51.330285+00:00", "updated": "2026-03-25T20:35:58.555762+00:00", "vendors": ["rails", "rails$PRODUCT$activestorage"]}