CVE-2026-34060 PUBLISHED

Ruby LSP has arbitrary code execution through branch setting

Assigner: GitHub_M
Reserved: 25.03.2026 Published: 31.03.2026 Updated: 31.03.2026

Ruby LSP is an implementation of the language server protocol for Ruby. Prior to Shopify.ruby-lsp version 0.10.2 and ruby-lsp version 0.26.9, the rubyLsp.branch VS Code workspace setting was interpolated without sanitization into a generated Gemfile, allowing arbitrary Ruby code execution when a user opens a project containing a malicious .vscode/settings.json. This issue has been patched in Shopify.ruby-lsp version 0.10.2 and ruby-lsp version 0.26.9.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CVSS Score: 7.1

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Local	Confidentiality	High	Confidentiality	None
Attack Complexity	Low	Integrity	High	Integrity	None
Attack Requirements	Present	Availability	High	Availability	None
Privileges Required	None
User Interaction	Active

CVSS 4.0

Product Status

Vendor	Shopify
Product	ruby-lsp
Versions	Version < 0.26.9 is affected

Vendor	Shopify
Product	Shopify.ruby-lsp
Versions	Version < 0.10.2 is affected

References

Problem Types

CWE-94: Improper Control of Generation of Code ('Code Injection') CWE