CVE-2026-34060 is a code injection vulnerability classified under CWE-94 affecting Shopify's ruby-lsp, an implementation of the Language Server Protocol for Ruby. The vulnerability exists because the rubyLsp.branch setting in VS Code workspace configurations is directly interpolated into a generated Gemfile without proper input sanitization or validation. This unsafe interpolation allows an attacker to inject arbitrary Ruby code via a malicious .vscode/settings.json file within a project workspace. When a user opens such a workspace, the injected code executes with the privileges of the user running the ruby-lsp process. This can lead to arbitrary code execution, compromising the confidentiality, integrity, and availability of the user's environment. The vulnerability affects ruby-lsp versions prior to 0.10.2 (Shopify.ruby-lsp) and 0.26.9 (ruby-lsp). Exploitation requires the attacker to place a malicious VS Code workspace configuration file and the user to open the workspace, thus requiring user interaction and local access. The vulnerability has been patched in the specified versions by sanitizing the input to prevent code injection. No public exploits have been reported to date, but the high CVSS score of 7.1 reflects the significant risk posed by this vulnerability due to its potential impact and ease of exploitation once the malicious workspace is opened.

The impact of CVE-2026-34060 is substantial for organizations using vulnerable versions of ruby-lsp in their development environments. Successful exploitation allows arbitrary Ruby code execution, which can lead to unauthorized access to sensitive data, modification or destruction of code and files, and potential compromise of the developer's machine. This can cascade into supply chain risks if compromised development environments produce malicious or tampered software artifacts. Since ruby-lsp is used in developer tooling, the vulnerability primarily threatens software development teams, increasing the risk of insider threats or targeted attacks via malicious project repositories. The requirement for user interaction and local access limits remote exploitation but does not eliminate risk, especially in environments where developers open untrusted or third-party projects. The vulnerability can disrupt development workflows and erode trust in the integrity of software produced, impacting organizations globally that rely on Ruby and VS Code for development.

To mitigate CVE-2026-34060, organizations should immediately update Shopify.ruby-lsp to version 0.10.2 or later and ruby-lsp to version 0.26.9 or later, where the vulnerability has been patched. Developers should audit their projects for untrusted or suspicious .vscode/settings.json files, especially those containing the rubyLsp.branch setting, and remove or sanitize them. Implement strict policies to avoid opening workspaces from untrusted sources or repositories. Employ workspace trust features in VS Code to restrict automatic execution of workspace settings and extensions. Additionally, consider sandboxing development environments or using containerized setups to limit the impact of potential code execution. Regularly monitor for updates and advisories from Shopify and related tooling vendors. Educate developers about the risks of opening unverified project configurations and encourage secure coding and workspace hygiene practices.