Rails Active Storage Path Traversal: CVE-2026-33195 Exposes File Access Risk in 7.1.6 and Earlier

A path traversal vulnerability in Ruby on Rails' Active Storage component has been assigned CVE-2026-33195, prompting security advisories for applications running versions 7.1.6 and earlier. The flaw resides in `DiskService#path_for`, which fails to verify that resolved filesystem paths remain within the configured storage root directory. When blob keys containing traversal sequences like `../` are processed, the method can be tricked into accessing files outside the intended boundary. The vulnerability carries a CVSS 4.0 score of 8.0, classified as High severity.

The vulnerability requires a specific precondition to become exploitable: applications must pass user-controlled input directly as blob keys to the affected method. While Rails generates blob keys internally and treats them as trusted strings, developers who surface file storage functionality without proper sanitization create an exposure vector. Under those conditions, an attacker could potentially read, write, or delete arbitrary files on the server's filesystem, including sensitive configuration files, credentials, or application code. No evidence indicates the vulnerability has been exploited in the wild, but the disclosure through the official Rails security advisory and GitHub Dependabot alert signals a coordinated response is needed across the ecosystem.

The recommended mitigation is straightforward: upgrade to Rails 7.2.3.1 or later. Organizations running affected versions should audit their Active Storage implementations to identify any code paths where user input flows into blob key parameters. Dependency scanning tools should flag the vulnerable `activestorage` version automatically via the linked GHSA-9xrj-h377-fr87 advisory. Given the severity and the simplicity of the fix, security teams should treat this as a priority patch for any public-facing Rails applications using Active Storage's disk-based service.