CVE-2026-33195: CVE-2026-33195: Path Traversal Vulnerability in Ruby on Rails Active Storage DiskService

CVE-2026-33195: Path Traversal Vulnerability in Ruby on Rails Active Storage DiskService Vulnerability ID: CVE-2026-33195 CVSS Score: 8.0 Published: 2026-03-23 Ruby on Rails Active Storage contains a path traversal vulnerability in the DiskService component. Applications allowing user-controllable keys expose arbitrary file read, write, and deletion capabilities to unauthenticated attackers due to inadequate path sanitization. TL;DR A path traversal flaw in Rails Active Storage (CVSS 8.0) allows attackers to read or write arbitrary system files if the application permits user-defined blob keys. Patches are available in versions 7.2.3.1, 8.0.4.1, and 8.1.2.1. Technical Details CWE ID : CWE-22 Attack Vector : Network CVSS Score : 8.0 Impact : Arbitrary File Read/Write/Delete Exploit Status : Unweaponized KEV Status : Not Listed Affected Systems Ruby on Rails (Active Storage component) Systems utilizing DiskService for local file storage activestorage : < 7.2.3.1 (Fixed in: 7.2.3.1 ) acti