GHSA-qcfx-2mfw-w4cg
Suggest an improvement- Source
- https://github.com/advisories/GHSA-qcfx-2mfw-w4cg
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-qcfx-2mfw-w4cg/GHSA-qcfx-2mfw-w4cg.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-qcfx-2mfw-w4cg
- Aliases
- Related
- Published
- 2026-03-23T20:54:16Z
- Modified
- 2026-05-13T16:35:18.020342Z
- Severity
-
- 5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Rails Active Storage has possible content type bypass via metadata in direct uploads
- Details
-
Impact
Active Storage's
DirectUploadsControlleraccepts arbitrary metadata from the client and persists it on the blob. Because internal flags likeidentifiedandanalyzedare stored in the same metadata hash, a malicious direct-upload client could set these flags.Releases
The fixed releases are available at the normal locations.
Credit
This was responsible reported by Hackerone researcher pwnie
- Database specific
{ "github_reviewed": true, "severity": "MODERATE", "nvd_published_at": "2026-03-24T00:16:28Z", "cwe_ids": [ "CWE-925" ], "github_reviewed_at": "2026-03-23T20:54:16Z" }- References
-
- https://github.com/rails/rails/security/advisories/GHSA-qcfx-2mfw-w4cg
- https://nvd.nist.gov/vuln/detail/CVE-2026-33173
- https://github.com/rails/rails/commit/707c0f1f41f067fdf96d54e99d43b28dfaae7e53
- https://github.com/rails/rails/commit/8fcb934caadc79c8cc4ce53287046d0f67005b3e
- https://github.com/rails/rails/commit/d9502f5214e2198245a4c1defe9cd02a7c8057d0
- https://github.com/rails/rails
- https://github.com/rails/rails/releases/tag/v7.2.3.1
- https://github.com/rails/rails/releases/tag/v8.0.4.1
- https://github.com/rails/rails/releases/tag/v8.1.2.1
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activestorage/CVE-2026-33173.yml
Affected packages
RubyGems / activestorage
Package
- Name
- activestorage
- Purl
- pkg:gem/activestorage
RubyGems / activestorage
Package
- Name
- activestorage
- Purl
- pkg:gem/activestorage
RubyGems / activestorage
Package
- Name
- activestorage
- Purl
- pkg:gem/activestorage
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed7.2.3.1
Affected versions
0.*
0.1
5.*
5.2.0.beta1
5.2.0.beta2
5.2.0.rc1
5.2.0.rc2
5.2.0
5.2.1.rc1
5.2.1
5.2.1.1
5.2.2.rc1
5.2.2
5.2.2.1
5.2.3.rc1
5.2.3
5.2.4.rc1
5.2.4
5.2.4.1
5.2.4.2
5.2.4.3
5.2.4.4
5.2.4.5
5.2.4.6
5.2.5
5.2.6
5.2.6.1
5.2.6.2
5.2.6.3
5.2.7
5.2.7.1
5.2.8
5.2.8.1
6.*
6.0.0.beta1
6.0.0.beta2
6.0.0.beta3
6.0.0.rc1
6.0.0.rc2
6.0.0
6.0.1.rc1
6.0.1
6.0.2.rc1
6.0.2.rc2
6.0.2
6.0.2.1
6.0.2.2
6.0.3.rc1
6.0.3
6.0.3.1
6.0.3.2
6.0.3.3
6.0.3.4
6.0.3.5
6.0.3.6
6.0.3.7
6.0.4
6.0.4.1
6.0.4.2
6.0.4.3
6.0.4.4
6.0.4.5
6.0.4.6
6.0.4.7
6.0.4.8
6.0.5
6.0.5.1
6.0.6
6.0.6.1
6.1.0.rc1
6.1.0.rc2
6.1.0
6.1.1
6.1.2
6.1.2.1
6.1.3
6.1.3.1
6.1.3.2
6.1.4
6.1.4.1
6.1.4.2
6.1.4.3
6.1.4.4
6.1.4.5
6.1.4.6
6.1.4.7
6.1.5
6.1.5.1
6.1.6
6.1.6.1
6.1.7
6.1.7.1
6.1.7.2
6.1.7.3
6.1.7.4
6.1.7.5
6.1.7.6
6.1.7.7
6.1.7.8
6.1.7.9
6.1.7.10
7.*
7.0.0.alpha1
7.0.0.alpha2
7.0.0.rc1
7.0.0.rc2
7.0.0.rc3
7.0.0
7.0.1
7.0.2
7.0.2.1
7.0.2.2
7.0.2.3
7.0.2.4
7.0.3
7.0.3.1
7.0.4
7.0.4.1
7.0.4.2
7.0.4.3
7.0.5
7.0.5.1
7.0.6
7.0.7
7.0.7.1
7.0.7.2
7.0.8
7.0.8.1
7.0.8.2
7.0.8.3
7.0.8.4
7.0.8.5
7.0.8.6
7.0.8.7
7.0.10
7.1.0.beta1
7.1.0.rc1
7.1.0.rc2
7.1.0
7.1.1
7.1.2
7.1.3
7.1.3.1
7.1.3.2
7.1.3.3
7.1.3.4
7.1.4
7.1.4.1
7.1.4.2
7.1.5
7.1.5.1
7.1.5.2
7.1.6
7.2.0.beta1
7.2.0.beta2
7.2.0.beta3
7.2.0.rc1
7.2.0
7.2.1
7.2.1.1
7.2.1.2
7.2.2
7.2.2.1
7.2.2.2
7.2.3