Cyber Resilience

CVE-2026-34060

HighUpdated

Published: 31 March 2026

Published
31 March 2026
Modified
03 June 2026
KEV Added
Patch
CVSS Score v4 7.1 CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0048 37.6th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-34060 is a high-severity Code Injection (CWE-94) vulnerability in Shopify Ruby Lsp. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 37.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-34060 is a code injection vulnerability (CWE-94) in Ruby LSP, an implementation of the Language Server Protocol for Ruby. It affects versions of Shopify.ruby-lsp prior to 0.10.2 and ruby-lsp prior to 0.26.9. The flaw occurs because the rubyLsp.branch VS Code workspace setting from .vscode/settings.json is interpolated without sanitization into a generated Gemfile, enabling arbitrary Ruby code execution upon project opening in VS Code. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

An attacker can exploit this vulnerability remotely with no privileges or user interaction required by crafting a malicious .vscode/settings.json file and hosting it in a project repository, such as on GitHub. When a developer opens the project in VS Code with a vulnerable Ruby LSP extension installed, the unsanitized setting triggers execution of arbitrary Ruby code via the generated Gemfile, potentially leading to full system compromise including high confidentiality, integrity, and availability impacts.

The issue has been addressed in Shopify.ruby-lsp version 0.10.2 and ruby-lsp version 0.26.9, as detailed in the GitHub security advisory (GHSA-c4r5-fxqw-vh93) and release notes for v0.26.9. Security practitioners should urge users to update the Ruby LSP VS Code extension immediately and audit project settings files for suspicious rubyLsp.branch configurations.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Ruby LSP is an implementation of the language server protocol for Ruby. Prior to Shopify.ruby-lsp version 0.10.2 and ruby-lsp version 0.26.9, the rubyLsp.branch VS Code workspace setting was interpolated without sanitization into a generated Gemfile, allowing arbitrary Ruby code execution…

more

when a user opens a project containing a malicious .vscode/settings.json. This issue has been patched in Shopify.ruby-lsp version 0.10.2 and ruby-lsp version 0.26.9.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

The code injection vulnerability (CWE-94) in the Ruby LSP VS Code extension directly enables arbitrary Ruby code execution when a malicious .vscode/settings.json is processed upon project open, mapping to client application exploitation (T1203) and command/scripting interpreter usage (T1059).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-41282Shared CWE-94
CVE-2026-39862Same vendor: Shopify
CVE-2025-59057Same vendor: Shopify
CVE-2024-57061Shared CWE-94
CVE-2025-70364Shared CWE-94
CVE-2026-42211Same vendor: Shopify
CVE-2024-56448Shared CWE-94
CVE-2025-25467Shared CWE-94
CVE-2026-21884Same vendor: Shopify
CVE-2026-22029Same vendor: Shopify

Affected Assets

shopify
ruby lsp
≤ 0.10.2 · ≤ 0.26.9

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely patching of vulnerable Ruby LSP extensions to versions 0.10.2+ or 0.26.9+ directly eliminates the code injection flaw by implementing proper sanitization of the rubyLsp.branch setting.

prevent

Mandates validation and sanitization of untrusted inputs like workspace settings prior to interpolation into code-generating processes such as Gemfile creation, directly addressing the CWE-94 injection vulnerability.

prevent

Restricts user installation of unapproved software extensions, preventing deployment of vulnerable Ruby LSP versions in VS Code environments.

References