Cyber Posture

CVE-2026-33195

Critical

Published: 24 March 2026

Published
24 March 2026
Modified
24 March 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0004 10.7th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-33195 is a critical-severity Path Traversal (CWE-22) vulnerability in Rubyonrails Rails. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 10.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 4 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Patching Active Storage to versions 8.1.2.1, 8.0.4.1, or 7.2.3.1 directly fixes the lack of path validation in DiskService#path_for, preventing path traversal exploitation.

SI-10 Information Input Validation good match
prevent

Validating blob keys as information inputs rejects path traversal sequences like '../', blocking exploitation even if user input is used.

AC-6 Least Privilege partial match
prevent

Enforcing least privilege on the Rails application process limits the scope of arbitrary file read/write/delete to only authorized directories.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
attack.mitre.org →
T1105 Ingress Tool Transfer Command And Control
Adversaries may transfer tools or other files from an external system into a compromised environment.
attack.mitre.org →
T1070.004 File Deletion Stealth
Adversaries may delete files left behind by the actions of their intrusion activity.
attack.mitre.org →
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
attack.mitre.org →
Why these techniques?

Path traversal in public-facing Rails Active Storage component directly enables remote unauthenticated file read (T1005), write for tool ingress or web shell (T1105/T1505.003), deletion (T1070.004), and initial access via public app exploitation (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, Active Storage's `DiskService#path_for` does not validate that the resolved filesystem path remains within the storage root directory. If a blob…

more

key containing path traversal sequences (e.g. `../`) is used, it could allow reading, writing, or deleting arbitrary files on the server. Blob keys are expected to be trusted strings, but some applications could be passing user input as keys and would be affected. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.

Deeper analysisAI

CVE-2026-33195 is a path traversal vulnerability (CWE-22) in Active Storage, a Ruby on Rails component for attaching cloud and local files to applications. In versions prior to 8.1.2.1, 8.0.4.1, and 7.2.3.1, the `DiskService#path_for` method does not validate that the resolved filesystem path remains within the storage root directory, enabling traversal via blob keys containing sequences like `../`.

Remote attackers without privileges can exploit this vulnerability if an application passes untrusted user input as blob keys, which are expected to be trusted strings. Successful exploitation allows reading, writing, or deleting arbitrary files on the server. The issue carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting critical severity with network accessibility, low complexity, and high impact on confidentiality, integrity, and availability.

Mitigation is provided in patched versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 of Rails. Security practitioners should upgrade immediately and review applications for direct use of user-supplied blob keys. Fix commits include 4933c1e3b8c1bb04925d60347be9f69270392f2c, 9b06fbc0f504b8afe333f33d19548f3b85fbe655, and a290c8a1ec189d793aa6d7f2570b6a763f675348, with releases tagged at v7.2.3.1 and v8.0.4.1 on GitHub.

Details

CWE(s)
CWE-22

Affected Products

rubyonrails
rails
≤ 7.2.3.1 · 8.0.0 — 8.0.4.1 · 8.1.0 — 8.1.2.1

CVEs Like This One

CVE-2026-33202Same product: Rubyonrails Rails
CVE-2026-33174Same product: Rubyonrails Rails
CVE-2026-33176Same product: Rubyonrails Rails
CVE-2026-3464Shared CWE-22
CVE-2024-48884Shared CWE-22
CVE-2026-5027Shared CWE-22
CVE-2026-3795Shared CWE-22
CVE-2026-33686Shared CWE-22
CVE-2025-41714Shared CWE-22
CVE-2026-6615Shared CWE-22

References