Fluid Attacks Database

Description

Ruby LSP is an implementation of the language server protocol for Ruby. Prior to Shopify.ruby-lsp version 0.10.2 and ruby-lsp version 0.26.9, the rubyLsp.branch VS Code workspace setting was interpolated without sanitization into a generated Gemfile, allowing arbitrary Ruby code execution when a user opens a project containing a malicious .vscode/settings.json. This issue has been patched in Shopify.ruby-lsp version 0.10.2 and ruby-lsp version 0.26.9.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
rubygems	ruby-lsp	>=0 <0.26.9	0.26.9
debian 14	ruby-ruby-lsp	=0.26.6-1 \|\| =0.26.6-2 \|\| =0.26.7-1 \|\| >=0 <0.26.9-0.1	0.26.9-0.1

Aliases

1. CVE-2026-340602. NVD-2026-340603. OSV-2026-340604. OSV-DEBIAN-2026-340605. GHSA-c4r5-fxqw-vh936. GCVE-2026-340607. SECURITY-TRACKER-CVE-2026-34060

References

1. https://github.com/Shopify/ruby-lsp/security/advisories/GHSA-c4r5-fxqw-vh932. https://github.com/Shopify/ruby-lsp/releases/tag/v0.26.93. https://github.com/rubysec/ruby-advisory-db/blob/master/gems/ruby-lsp/CVE-2026-34060.yml

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.