Cyber Resilience

CVE-2026-33202

Medium

Published: 24 March 2026

Published
24 March 2026
Modified
24 March 2026
KEV Added
Patch
CVSS Score v4 6.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0065 46.2th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-33202 is a medium-severity Injection (CWE-74) vulnerability in Rubyonrails Rails. Its CVSS base score is 6.6 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 46.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-33202 is a vulnerability in Active Storage, a Ruby on Rails component for attaching cloud and local files to applications. In versions prior to 8.1.2.1, 8.0.4.1, and 7.2.3.1, the `DiskService#delete_prefixed` method passes blob keys directly to Ruby's `Dir.glob` without escaping glob metacharacters. This flaw, tracked as CWE-74 (OS Command Injection), carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H), highlighting its critical potential for integrity and availability disruption.

The vulnerability can be exploited remotely by unauthenticated attackers with low complexity and no user interaction. Exploitation requires a blob key containing attacker-controlled input or custom-generated content with glob metacharacters, such as asterisks or brackets. Successful attacks enable deletion of unintended files within the storage directory, potentially compromising application data integrity and availability without affecting confidentiality.

Mitigation involves upgrading to patched versions 8.1.2.1, 8.0.4.1, or 7.2.3.1, as detailed in the Rails GitHub releases. The fixes are implemented in specific commits, including 8c9676b803820110548cdb7523800db43bc6874c, 955284d26e469a9c026a4eee5b21f0414ab0bccf, and fa19073546360856e9f4dab221fc2c5d73a45e82, which properly escape glob metacharacters before passing keys to `Dir.glob`.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, Active Storage's `DiskService#delete_prefixed` passes blob keys directly to `Dir.glob` without escaping glob metacharacters. If a blob key contains attacker-controlled input…

more

or custom-generated keys with glob metacharacters, it may be possible to delete unintended files from the storage directory. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1485 Data Destruction Impact
Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.
Why these techniques?

Remote unauthenticated exploitation of public-facing Rails Active Storage component for arbitrary file deletion directly maps to T1190 (initial access via app vuln) and enables T1485 (impact via data destruction on storage directory).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-33176Same product: Rubyonrails Rails
CVE-2026-33174Same product: Rubyonrails Rails
CVE-2026-33195Same product: Rubyonrails Rails
CVE-2026-2469Shared CWE-74
CVE-2026-25814Shared CWE-74
CVE-2026-27727Shared CWE-74
CVE-2026-7770Shared CWE-74
CVE-2022-31631Shared CWE-74
CVE-2026-26002Shared CWE-74
CVE-2026-2019Shared CWE-74

Affected Assets

rubyonrails
rails
≤ 7.2.3.1 · 8.0.0 — 8.0.4.1 · 8.1.0 — 8.1.2.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Flaw remediation directly addresses CVE-2026-33202 by requiring timely patching of vulnerable Active Storage versions to escape glob metacharacters in DiskService#delete_prefixed.

prevent

Information input validation prevents exploitation by sanitizing or rejecting blob keys containing glob metacharacters before passing them to Dir.glob.

detect

Software and information integrity checking detects unauthorized file deletions in the storage directory caused by glob metacharacter injection.

References