CVE-2026-33658

N/A Unknown
Published: March 26, 2026 Modified: March 30, 2026
View on NVD

Description

Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 Active Storage's proxy controller does not limit the number of byte ranges in an HTTP Range header. A request with thousands of small ranges causes disproportionate CPU usage compared to a normal request for the same file, possibly resulting in a DoS vulnerability. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://github.com/rails/rails/releases/tag/v7.2.3.1
Source: security-advisories@github.com
https://github.com/rails/rails/releases/tag/v8.0.4.1
Source: security-advisories@github.com
https://github.com/rails/rails/releases/tag/v8.1.2.1
Source: security-advisories@github.com
https://github.com/rails/rails/security/advisories/GHSA-p9fm-f462-ggrg
Source: security-advisories@github.com
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activestorage/CVE-2026-33658.yml
Source: security-advisories@github.com

5 reference(s) from NVD

Quick Stats

CVSS v3 Score
N/A / 10.0
EPSS (Exploit Probability)
0.1%
15th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-770

Related CVEs

CVE-2026-41320 6.5
CVE-2026-40909 8.7
CVE-2026-40908 5.3
CVE-2026-40907 6.5
CVE-2026-40903 9.1