cvedb.io
CVE-2026-33173
MEDIUM · CVSS 5.3
EPSS exploitation probability: 0%
Published 2026-03-24T00:16:28.457 · Last modified 2026-06-17T10:37:04.677

Summary

Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, `DirectUploadsController` accepts arbitrary metadata from the client and persists it on the blob. Because internal flags like `identified` and `analyzed` are stored in the same metadata hash, a direct-upload client can set these flags to skip MIME detection and analysis. This allows an attacker to upload arbitrary content while claiming a safe `content_type`, bypassing any validations that rely on Active Storage's automatic content type identification. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.

Affected products

rubyonrails — rails

Does this affect you?

Add your gear to cvedb and we'll alert you only when rubyonrails ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.