Ruby on Rails Improper Verification of Intent by Broadcast Receiver Vulnerability - CVE-2026-33173

Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1 8.0.4.1 and 7.2.3.1 DirectUploadsController accepts arbitrary metadata from the client and persists it on the blob. Because internal flags like identified and analyzed are stored in the same metadata hash a direct-upload client can set these flags to skip MIME detection and analysis. This allows an attacker to upload arbitrary content while claiming a safe content_type bypassing any validations that rely on Active Storage39s automatic content type identification. Versions 8.1.2.1 8.0.4.1 and 7.2.3.1 contain a patch.