The vulnerability CVE-2026-33202 affects the Active Storage module of Ruby on Rails, specifically the DiskService#delete_prefixed method. Active Storage is used to attach cloud and local files in Rails applications. In affected versions (>= 8.1.0.beta1, < 8.1.2.1; >= 8.0.0.beta1, < 8.0.4.1; and < 7.2.3.1), the method passes blob keys directly to the Ruby Dir.glob function without escaping glob metacharacters such as '*', '?', '[', and ']'. Glob metacharacters are interpreted by Dir.glob to match multiple files or patterns. If an attacker can control or influence the blob key values, they can craft keys containing glob metacharacters that cause Dir.glob to match and delete unintended files beyond the intended scope. This improper neutralization of special elements in output used by a downstream component is categorized under CWE-74 (Injection). The vulnerability allows deletion of arbitrary files within the storage directory, potentially leading to data loss or denial of service. Exploitation requires no privileges or user interaction and can be performed remotely if the application accepts attacker-controlled blob keys. The issue has been addressed in Rails versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 by properly escaping glob metacharacters before passing blob keys to Dir.glob, preventing unintended file deletions.

This vulnerability can lead to unintended deletion of files within the storage directory used by Active Storage in Rails applications. The impact includes potential data loss, disruption of application functionality, and denial of service if critical files are removed. Since Active Storage is commonly used for managing user-uploaded files, cloud attachments, and local file storage, exploitation could affect application data integrity and availability. The vulnerability does not allow remote code execution or privilege escalation but can cause significant operational impact by corrupting or deleting stored data. Organizations relying on vulnerable Rails versions risk data integrity issues and service interruptions, especially if blob keys can be influenced by untrusted users or external inputs. The lack of authentication or user interaction requirements increases the risk of exploitation in exposed web applications.

Organizations should immediately upgrade Rails Active Storage to versions 8.1.2.1, 8.0.4.1, or 7.2.3.1 or later, where the vulnerability is patched. If upgrading is not immediately feasible, implement input validation and sanitization to ensure blob keys do not contain glob metacharacters before they reach the DiskService#delete_prefixed method. Restrict the ability to create or influence blob keys to trusted users or internal processes only. Employ file system permissions to limit the scope of deletions to only necessary directories, preventing broader file deletions. Monitor application logs for unusual file deletion patterns or errors related to Active Storage. Conduct code reviews to ensure no other parts of the application pass unescaped user input to file system globbing functions. Finally, maintain regular backups of storage directories to enable recovery in case of accidental or malicious deletions.