CVE Tools
Sign in

CVE-2026-33173

Rails Active Storage has possible content type bypass via metadata in direct uploads

Published: Mar 23, 2026Updated: Mar 24, 2026 Sources: CVE List NVDCWE-925
NVD MITRE
5.3CVSSMEDIUM
EPSS Score
0.4%
Top 69.4%
CISA KEV
Not in KEV
Exploits
No Known Exploits
Remediation
Patch Available

Description

Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, `DirectUploadsController` accepts arbitrary metadata from the client and persists it on the blob. Because internal flags like `identified` and `analyzed` are stored in the same metadata hash, a direct-upload client can set these flags to skip MIME detection and analysis. This allows an attacker to upload arbitrary content while claiming a safe `content_type`, bypassing any validations that rely on Active Storage's automatic content type identification. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.

CVSS Vector Breakdown

AV:NAC:LPR:NUI:NS:UC:NI:LA:N
Exploitability
AV:NAttack Vector
Network
AC:LAttack Complexity
Low
PR:NPrivileges Required
None
UI:NUser Interaction
None
Scope
S:UScope
Unchanged
Impact
C:NConfidentiality
None
I:LIntegrity
Low
A:NAvailability
None
Open in CVSS calculator →

Weaknesses

CWE-925

Affected Products

activestoragerails
Library
OSS Libraries / web-framework
railsrubyonrailsOSS Libraries
railsoss-projectOSS Librariesaka rails-html-sanitizer, activestorage
rubyonrailsoss-projectUSOSS Librariesaka rails, ruby on rails, rubyonrails.org

Exploitability

Official Patch Available

References

https://github.com/rails/rails/security/advisories/GHSA-qcfx-2mfw-w4cg
github.com
https://github.com/rails/rails/commit/707c0f1f41f067fdf96d54e99d43b28dfaae7e53
github.com
https://github.com/rails/rails/commit/8fcb934caadc79c8cc4ce53287046d0f67005b3e
github.com
and 4 more references View all →

Timeline

Published
Mar 23, 2026
Last Updated
Mar 24, 2026

Unlock Complete Vulnerability Intelligence

Get the full picture for CVE-2026-33173 and every CVE in our database. Create a free account — no credit card required.

Create Free Account
Plain-language analysis
Impact assessment and exploitation scenario in plain English
Attack graph visualization
Interactive attack path and kill chain mapping
Exploit details & PoC links
ExploitDB, Metasploit, GitHub PoCs with direct links
Nuclei scanner templates
Ready-to-use vulnerability scanner templates
Full remediation guide
Patch instructions, workarounds, and compliance impact
Interactive AI chat
Ask questions about this vulnerability in natural language
Related vulnerabilities
Semantically similar CVEs and attack patterns
REST API & MCP access
Integrate vulnerability data into your workflows