CVE-2026-34060

Name of the Vulnerable Software and Affected Versions ruby-lsp versions prior to 0.10.2 ruby-lsp gem versions prior to 0.26.9

Description The rubyLsp.branch VS Code workspace setting was used in generating a Gemfile without proper sanitization, potentially allowing arbitrary Ruby code execution when opening a project with a malicious .vscode/settings.json. This impacts editors that automatically apply workspace settings upon opening and trusting the workspace. Ruby LSP operates under the assumption that workspace code is trusted, and opening an untrusted workspace could lead to the execution of dangerous code. The branch CLI argument and setting have been removed to address this.

Recommendations Update to ruby-lsp extension version 0.10.2 or later. Update the ruby-lsp gem to version 0.26.9 or later.