CVE-2026-33173

Name of the Vulnerable Software and Affected Versions Rails versions prior to 8.1.2.1 Rails versions prior to 8.0.4.1 Rails versions prior to 7.2.3.1

Description Active Storage in Rails applications allows users to attach files from cloud and local sources. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, the DirectUploadsController accepts arbitrary metadata from a client and stores it with the file. Internal flags, such as identified and analyzed, are stored within the same metadata. This allows a malicious client to manipulate these flags, bypassing MIME detection and analysis. An attacker can upload arbitrary content while falsely claiming a safe content type, circumventing validations that depend on Active Storage’s automatic content type identification. The DirectUploadsController is the component affected by this issue.

Recommendations Update to Rails version 8.1.2.1 or later. Update to Rails version 8.0.4.1 or later. Update to Rails version 7.2.3.1 or later.