Description

Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, Active Storage's `DiskService#delete_prefixed` passes blob keys directly to `Dir.glob` without escaping glob metacharacters. If a blob key contains attacker-controlled input or custom-generated keys with glob metacharacters, it may be possible to delete unintended files from the storage directory. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.

Remediation

References

CVE-2026-33202

Related Vulnerabilities

WordPress Plugin Gallery by BestWebSoft Arbitrary File Disclosure (3.8.3)

WordPress Plugin Modern Events Calendar Arbitrary File Upload (7.11.0)

WebLogic Unrestricted Upload of File with Dangerous Type Vulnerability (CVE-2021-21347)

WordPress Plugin Htaccess by BestWebSoft Cross-Site Scripting (1.7.5)

Liferay DXP Insufficient Session Expiration Vulnerability (CVE-2025-43819)

Severity

Critical

Classification

CVE-2026-33202 CWE-138 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Tags

Missing Update Known Vulnerabilities