CVE Vulnerabilities

CVE-2026-33173

Improper Verification of Intent by Broadcast Receiver

Published: Mar 24, 2026 | Modified: Jun 17, 2026
CVSS 3.x
5.3
MEDIUM
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CVSS 2.x
RedHat/V2
RedHat/V3
7.6 MODERATE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
Ubuntu
MEDIUM
root.io logo minimus.io logo echo.ai logo

Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, DirectUploadsController accepts arbitrary metadata from the client and persists it on the blob. Because internal flags like identified and analyzed are stored in the same metadata hash, a direct-upload client can set these flags to skip MIME detection and analysis. This allows an attacker to upload arbitrary content while claiming a safe content_type, bypassing any validations that rely on Active Storages automatic content type identification. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.

Weakness

The Android application uses a Broadcast Receiver that receives an Intent but does not properly verify that the Intent came from an authorized source.

Affected Software

NameVendorStart VersionEnd Version
RailsRubyonrails*7.2.3.1 (excluding)
RailsRubyonrails8.0.0 (including)8.0.4.1 (excluding)
RailsRubyonrails8.1.0 (including)8.1.2.1 (excluding)
RailsUbuntuesm-apps/xenial*
RailsUbuntuquesting*

Potential Mitigations

References