CVE-2026-33173 Rubyonrails — Exploit & Vulnerability Details MEDIUM

Parameter	Value
CVSS	5.3 (MEDIUM)
Affected Versions	8.0.0 — 8.1.2.1
Fixed In	7.2.3.1
Type	CWE-925
Vendor	Rubyonrails
Public PoC	No

Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, `DirectUploadsController` accepts arbitrary metadata from the client and persists it on the blob. Because internal flags like `identified` and `analyzed` are stored in the same metadata hash, a direct-upload client can set these flags to skip MIME detection and analysis.

This allows an attacker to upload arbitrary content while claiming a safe `content_type`, bypassing any validations that rely on Active Storage's automatic content type identification. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.

Attack Parameters

Attack Vector

Network

Can be exploited remotely

Attack Complexity

Low

Easy to exploit

Attack Requirements

None

No additional conditions

Privileges Required

None

No privileges needed

User Interaction

Passive

Minimal interaction

Impact Assessment

Confidentiality

None

No data leak

Integrity

Low

Partial data modification

Availability

None

No disruption

CVSS Vector v4.0

Weakness Type (CWE)

CWE-925

Vulnerable Products 3

Configuration	From (including)	Up to (excluding)
Rubyonrails Rails cpe:2.3:a:rubyonrails:rails::::::::	—	`7.2.3.1`
Rubyonrails Rails cpe:2.3:a:rubyonrails:rails::::::::	`8.0.0`	`8.0.4.1`
Rubyonrails Rails cpe:2.3:a:rubyonrails:rails::::::::	`8.1.0`	`8.1.2.1`