CVE-2026-34060
Published: 31 March 2026
Summary
CVE-2026-34060 is a critical-severity Code Injection (CWE-94) vulnerability. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 8.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely patching of vulnerable Ruby LSP extensions to versions 0.10.2+ or 0.26.9+ directly eliminates the code injection flaw by implementing proper sanitization of the rubyLsp.branch setting.
Mandates validation and sanitization of untrusted inputs like workspace settings prior to interpolation into code-generating processes such as Gemfile creation, directly addressing the CWE-94 injection vulnerability.
Restricts user installation of unapproved software extensions, preventing deployment of vulnerable Ruby LSP versions in VS Code environments.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The code injection vulnerability (CWE-94) in the Ruby LSP VS Code extension directly enables arbitrary Ruby code execution when a malicious .vscode/settings.json is processed upon project open, mapping to client application exploitation (T1203) and command/scripting interpreter usage (T1059).
NVD Description
Ruby LSP is an implementation of the language server protocol for Ruby. Prior to Shopify.ruby-lsp version 0.10.2 and ruby-lsp version 0.26.9, the rubyLsp.branch VS Code workspace setting was interpolated without sanitization into a generated Gemfile, allowing arbitrary Ruby code execution…
more
when a user opens a project containing a malicious .vscode/settings.json. This issue has been patched in Shopify.ruby-lsp version 0.10.2 and ruby-lsp version 0.26.9.
Deeper analysisAI
CVE-2026-34060 is a code injection vulnerability (CWE-94) in Ruby LSP, an implementation of the Language Server Protocol for Ruby. It affects versions of Shopify.ruby-lsp prior to 0.10.2 and ruby-lsp prior to 0.26.9. The flaw occurs because the rubyLsp.branch VS Code workspace setting from .vscode/settings.json is interpolated without sanitization into a generated Gemfile, enabling arbitrary Ruby code execution upon project opening in VS Code. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
An attacker can exploit this vulnerability remotely with no privileges or user interaction required by crafting a malicious .vscode/settings.json file and hosting it in a project repository, such as on GitHub. When a developer opens the project in VS Code with a vulnerable Ruby LSP extension installed, the unsanitized setting triggers execution of arbitrary Ruby code via the generated Gemfile, potentially leading to full system compromise including high confidentiality, integrity, and availability impacts.
The issue has been addressed in Shopify.ruby-lsp version 0.10.2 and ruby-lsp version 0.26.9, as detailed in the GitHub security advisory (GHSA-c4r5-fxqw-vh93) and release notes for v0.26.9. Security practitioners should urge users to update the Ruby LSP VS Code extension immediately and audit project settings files for suspicious rubyLsp.branch configurations.
Details
- CWE(s)