{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34060", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-25T16:21:40.866Z", "datePublished": "2026-03-31T01:59:51.170Z", "dateUpdated": "2026-03-31T01:59:51.170Z"}, "containers": {"cna": {"title": "Ruby LSP has arbitrary code execution through branch setting", "problemTypes": [{"descriptions": [{"cweId": "CWE-94", "lang": "en", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/Shopify/ruby-lsp/security/advisories/GHSA-c4r5-fxqw-vh93", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Shopify/ruby-lsp/security/advisories/GHSA-c4r5-fxqw-vh93"}, {"name": "https://github.com/Shopify/ruby-lsp/releases/tag/v0.26.9", "tags": ["x_refsource_MISC"], "url": "https://github.com/Shopify/ruby-lsp/releases/tag/v0.26.9"}], "affected": [{"vendor": "Shopify", "product": "ruby-lsp", "versions": [{"version": "< 0.26.9", "status": "affected"}]}, {"vendor": "Shopify", "product": "Shopify.ruby-lsp", "versions": [{"version": "< 0.10.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-31T01:59:51.170Z"}, "descriptions": [{"lang": "en", "value": "Ruby LSP is an implementation of the language server protocol for Ruby. Prior to Shopify.ruby-lsp version 0.10.2 and ruby-lsp version 0.26.9, the rubyLsp.branch VS Code workspace setting was interpolated without sanitization into a generated Gemfile, allowing arbitrary Ruby code execution when a user opens a project containing a malicious .vscode/settings.json. This issue has been patched in Shopify.ruby-lsp version 0.10.2 and ruby-lsp version 0.26.9."}], "source": {"advisory": "GHSA-c4r5-fxqw-vh93", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Ruby LSP is an implementation of the language server protocol for Ruby. Prior to Shopify.ruby-lsp version 0.10.2 and ruby-lsp version 0.26.9, the rubyLsp.branch VS Code workspace setting was interpolated without sanitization into a generated Gemfile, allowing arbitrary Ruby code execution when a user opens a project containing a malicious .vscode/settings.json. This issue has been patched in Shopify.ruby-lsp version 0.10.2 and ruby-lsp version 0.26.9."}, {"lang": "es", "value": "Ruby LSP es una implementaci\u00f3n del protocolo del servidor de lenguaje para Ruby. Antes de Shopify.ruby-lsp versi\u00f3n 0.10.2 y ruby-lsp versi\u00f3n 0.26.9, la configuraci\u00f3n del espacio de trabajo de VS Code rubyLsp.branch se interpolaba sin sanitizaci\u00f3n en un Gemfile generado, permitiendo la ejecuci\u00f3n arbitraria de c\u00f3digo Ruby cuando un usuario abre un proyecto que contiene un archivo .vscode/settings.json malicioso. Este problema ha sido parcheado en Shopify.ruby-lsp versi\u00f3n 0.10.2 y ruby-lsp versi\u00f3n 0.26.9."}], "id": "CVE-2026-34060", "lastModified": "2026-04-01T14:24:02.583", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-31T03:15:58.773", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/Shopify/ruby-lsp/releases/tag/v0.26.9"}, {"source": "security-advisories@github.com", "url": "https://github.com/Shopify/ruby-lsp/security/advisories/GHSA-c4r5-fxqw-vh93"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.26.9)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "ruby-lsp", "source": "cna", "vendor": "Shopify"}, "product": "ruby-lsp", "vendor": "shopify"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.10.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Shopify.ruby-lsp", "source": "cna", "vendor": "Shopify"}, "product": "shopify.ruby-lsp", "vendor": "shopify"}], "analysis": {"en": {"generated_at": "2026-03-31T05:22:38.469990+00:00", "value": {"mitigation_remediation": ["Apply the vendor patch by upgrading to Shopify.ruby-lsp\u202f0.10.2 or ruby-lsp\u202f0.26.9.", "If patching is not immediately possible, avoid opening untrusted projects or remove malicious .vscode/settings.json files before using the workspace.", "Verify that your Ruby LSP installation is up to date and regularly check Shopify\u2019s release notes and security advisories for further updates."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The issue affects Shopify\u2019s Ruby LSP implementation. Versions prior to Shopify.ruby-lsp\u202f0.10.2 and ruby-lsp\u202f0.26.9 are vulnerable. The product is named Shopify.ruby-lsp for the repository Shopify/ruby-lsp. Users running the older versions should consider updating. No other vendors or product versions were listed as affected.", "description_and_impact": "A vulnerability was found in Ruby LSP, an implementation of the language server protocol for Ruby. The rubyLsp.branch VS\u202fCode workspace setting was interpolated into a generated Gemfile without proper sanitization. If a malicious .vscode/settings.json file is present in a project, opening that workspace can cause arbitrary Ruby code to be executed, giving an attacker full control of the user\u2019s environment. This weakness is identified as CWE-94: Improper Control of Generation of Code or Logic.", "risk_and_exploitability": "The CVSS base score of 7.1 indicates a high severity, and the vulnerability is classified as a local risk that requires the user to open a compromised workspace. The EPSS score is not available, and the vulnerability is not in the CISA KEV catalog. Because the exploit vector requires a malicious settings file in the project, an attacker would need to gain access to a developer\u2019s filesystem or supply a malicious project, which limits the scope but still poses a significant threat to developers who open third\u2011party projects. Prompt patching is recommended to mitigate this risk."}}}}, "created": "2026-03-31T19:56:24.051271+00:00", "updated": "2026-03-31T20:39:36.258355+00:00", "vendors": ["shopify", "shopify$PRODUCT$ruby-lsp", "shopify$PRODUCT$shopify.ruby-lsp"]}