VDB
DEBIAN-CVE-2026-33173
DEBIAN-CVE-2026-33173
PUBLISHED
CVSS 5.300000190734863 MEDIUM
Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, `DirectUploadsController` accepts arbitrary metadata from the client and persists it on the blob. Because internal flags like `identified` and `analyzed` are stored in the same metadata hash, a direct-upload client can set these flags to skip MIME detection and analysis. This allows an attacker to upload arbitrary content while claiming a safe `content_type`, bypassing any validations that rely on Active Storage's automatic content type identification. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.
Risk Scores
CVSS 3.1
5.300000190734863
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Debian:11 | rails | 7.2.3.1+dfsg, 2:6.1.7.3+dfsg-13, 2:6.1.7.3+dfsg-1~bpo11+1 |
| Debian:12 | rails | 6.1.7.3+dfsg, 6.1.7.10+dfsg, 6.1.7.3+dfsg |
| Debian:13 | rails | 0, 2:7.2.2.2+dfsg-2, 2:7.2.2.2+dfsg-2~deb13u1 |
| Debian:14 | rails | 2:7.2.2.2+dfsg-2~deb13u1, 2:7.2.3+dfsg-1, 2:7.2.3+dfsg-2 |
Timeline
- Mar 24, 2026 CVE Published
- Apr 28, 2026 CVE Updated