CVE-2026-33202
Published: 24 March 2026
Summary
CVE-2026-33202 is a critical-severity Injection (CWE-74) vulnerability in Rubyonrails Rails. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 8.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Flaw remediation directly addresses CVE-2026-33202 by requiring timely patching of vulnerable Active Storage versions to escape glob metacharacters in DiskService#delete_prefixed.
Information input validation prevents exploitation by sanitizing or rejecting blob keys containing glob metacharacters before passing them to Dir.glob.
Software and information integrity checking detects unauthorized file deletions in the storage directory caused by glob metacharacter injection.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated exploitation of public-facing Rails Active Storage component for arbitrary file deletion directly maps to T1190 (initial access via app vuln) and enables T1485 (impact via data destruction on storage directory).
NVD Description
Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, Active Storage's `DiskService#delete_prefixed` passes blob keys directly to `Dir.glob` without escaping glob metacharacters. If a blob key contains attacker-controlled input…
more
or custom-generated keys with glob metacharacters, it may be possible to delete unintended files from the storage directory. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.
Deeper analysisAI
CVE-2026-33202 is a vulnerability in Active Storage, a Ruby on Rails component for attaching cloud and local files to applications. In versions prior to 8.1.2.1, 8.0.4.1, and 7.2.3.1, the `DiskService#delete_prefixed` method passes blob keys directly to Ruby's `Dir.glob` without escaping glob metacharacters. This flaw, tracked as CWE-74 (OS Command Injection), carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H), highlighting its critical potential for integrity and availability disruption.
The vulnerability can be exploited remotely by unauthenticated attackers with low complexity and no user interaction. Exploitation requires a blob key containing attacker-controlled input or custom-generated content with glob metacharacters, such as asterisks or brackets. Successful attacks enable deletion of unintended files within the storage directory, potentially compromising application data integrity and availability without affecting confidentiality.
Mitigation involves upgrading to patched versions 8.1.2.1, 8.0.4.1, or 7.2.3.1, as detailed in the Rails GitHub releases. The fixes are implemented in specific commits, including 8c9676b803820110548cdb7523800db43bc6874c, 955284d26e469a9c026a4eee5b21f0414ab0bccf, and fa19073546360856e9f4dab221fc2c5d73a45e82, which properly escape glob metacharacters before passing keys to `Dir.glob`.
Details
- CWE(s)