{"id":"CVE-2026-34060","summary":"Ruby LSP has arbitrary code execution through branch setting","details":"Ruby LSP is an implementation of the language server protocol for Ruby. Prior to Shopify.ruby-lsp version 0.10.2 and ruby-lsp version 0.26.9, the rubyLsp.branch VS Code workspace setting was interpolated without sanitization into a generated Gemfile, allowing arbitrary Ruby code execution when a user opens a project containing a malicious .vscode/settings.json. This issue has been patched in Shopify.ruby-lsp version 0.10.2 and ruby-lsp version 0.26.9.","aliases":["GHSA-c4r5-fxqw-vh93"],"modified":"2026-04-10T05:43:21.785691Z","published":"2026-03-31T01:59:51.170Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/34xxx/CVE-2026-34060.json","cwe_ids":["CWE-94"],"cna_assigner":"GitHub_M"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/34xxx/CVE-2026-34060.json"},{"type":"WEB","url":"https://github.com/Shopify/ruby-lsp/releases/tag/v0.26.9"},{"type":"ADVISORY","url":"https://github.com/Shopify/ruby-lsp/security/advisories/GHSA-c4r5-fxqw-vh93"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34060"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/shopify/ruby-lsp","events":[{"introduced":"0"},{"fixed":"29ecc8d29dde87e6157a75bc2f0a3eb62db02ea3"},{"fixed":"9e53e7e8366a13e44079f252ee8e5d5000803fe2"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"0.26.9"},{"fixed":"0.10.2"}]}}],"versions":["v0.0.1","v0.0.2","v0.0.3","v0.0.4","v0.1.0","v0.10.0","v0.10.1","v0.11.0","v0.11.1","v0.11.2","v0.12.0","v0.12.1","v0.12.2","v0.12.3","v0.12.4","v0.12.5","v0.13.0","v0.13.1","v0.13.2","v0.13.3","v0.13.4","v0.14.0","v0.14.1","v0.14.2","v0.14.3","v0.14.4","v0.14.5","v0.14.6","v0.15.0","v0.16.0","v0.16.1","v0.16.2","v0.16.3","v0.16.4","v0.16.5","v0.16.6","v0.16.7","v0.17.0","v0.17.1","v0.17.10","v0.17.11","v0.17.12","v0.17.13","v0.17.14","v0.17.15","v0.17.16","v0.17.17","v0.17.2","v0.17.3","v0.17.4","v0.17.5","v0.17.6","v0.17.7","v0.17.8","v0.17.9","v0.18.0","v0.18.1","v0.18.2","v0.18.3","v0.18.4","v0.19.0","v0.19.1","v0.2.0","v0.20.0","v0.20.1","v0.21.0","v0.21.1","v0.21.2","v0.21.3","v0.22.0","v0.22.1","v0.23.0","v0.23.1","v0.23.10","v0.23.11","v0.23.12","v0.23.13","v0.23.14","v0.23.15","v0.23.16","v0.23.17","v0.23.18","v0.23.19","v0.23.2","v0.23.20","v0.23.21","v0.23.22","v0.23.23","v0.23.24","v0.23.3","v0.23.4","v0.23.5","v0.23.6","v0.23.7","v0.23.8","v0.23.9","v0.24.0","v0.24.1","v0.24.2","v0.25.0","v0.26.0","v0.26.1","v0.26.2","v0.26.3","v0.26.4","v0.26.5","v0.26.6","v0.26.7","v0.26.8","v0.3.0","v0.3.3","v0.3.4","v0.3.5","v0.3.6","v0.3.7","v0.3.8","v0.4.0","v0.4.1","v0.4.2","v0.4.3","v0.4.4","v0.4.5","v0.5.0","v0.5.1","v0.6.0","v0.6.1","v0.6.2","v0.7.0","v0.7.1","v0.7.2","v0.7.3","v0.7.4","v0.7.5","v0.7.6","v0.8.0","v0.8.1","v0.9.0","v0.9.1","v0.9.2","v0.9.3","v0.9.4","vscode-ruby-lsp-v0.10.0","vscode-ruby-lsp-v0.10.1","vscode-ruby-lsp-v0.10.2","vscode-ruby-lsp-v0.5.11","vscode-ruby-lsp-v0.5.12","vscode-ruby-lsp-v0.5.13","vscode-ruby-lsp-v0.5.14","vscode-ruby-lsp-v0.5.15","vscode-ruby-lsp-v0.5.16","vscode-ruby-lsp-v0.5.17","vscode-ruby-lsp-v0.5.18","vscode-ruby-lsp-v0.5.19","vscode-ruby-lsp-v0.5.20","vscode-ruby-lsp-v0.5.21","vscode-ruby-lsp-v0.7.0","vscode-ruby-lsp-v0.7.1","vscode-ruby-lsp-v0.7.10","vscode-ruby-lsp-v0.7.11","vscode-ruby-lsp-v0.7.12","vscode-ruby-lsp-v0.7.13","vscode-ruby-lsp-v0.7.14","vscode-ruby-lsp-v0.7.15","vscode-ruby-lsp-v0.7.16","vscode-ruby-lsp-v0.7.17","vscode-ruby-lsp-v0.7.18","vscode-ruby-lsp-v0.7.19","vscode-ruby-lsp-v0.7.2","vscode-ruby-lsp-v0.7.20","vscode-ruby-lsp-v0.7.4","vscode-ruby-lsp-v0.7.5","vscode-ruby-lsp-v0.7.6","vscode-ruby-lsp-v0.7.8","vscode-ruby-lsp-v0.8.0","vscode-ruby-lsp-v0.8.1","vscode-ruby-lsp-v0.8.10","vscode-ruby-lsp-v0.8.12","vscode-ruby-lsp-v0.8.13","vscode-ruby-lsp-v0.8.14","vscode-ruby-lsp-v0.8.15","vscode-ruby-lsp-v0.8.16","vscode-ruby-lsp-v0.8.17","vscode-ruby-lsp-v0.8.18","vscode-ruby-lsp-v0.8.19","vscode-ruby-lsp-v0.8.2","vscode-ruby-lsp-v0.8.20","vscode-ruby-lsp-v0.8.3","vscode-ruby-lsp-v0.8.4","vscode-ruby-lsp-v0.8.5","vscode-ruby-lsp-v0.8.6","vscode-ruby-lsp-v0.8.7","vscode-ruby-lsp-v0.8.8","vscode-ruby-lsp-v0.8.9","vscode-ruby-lsp-v0.9.10","vscode-ruby-lsp-v0.9.11","vscode-ruby-lsp-v0.9.12","vscode-ruby-lsp-v0.9.13","vscode-ruby-lsp-v0.9.14","vscode-ruby-lsp-v0.9.15","vscode-ruby-lsp-v0.9.16","vscode-ruby-lsp-v0.9.17","vscode-ruby-lsp-v0.9.18","vscode-ruby-lsp-v0.9.19","vscode-ruby-lsp-v0.9.2","vscode-ruby-lsp-v0.9.20","vscode-ruby-lsp-v0.9.21","vscode-ruby-lsp-v0.9.22","vscode-ruby-lsp-v0.9.23","vscode-ruby-lsp-v0.9.24","vscode-ruby-lsp-v0.9.25","vscode-ruby-lsp-v0.9.26","vscode-ruby-lsp-v0.9.27","vscode-ruby-lsp-v0.9.28","vscode-ruby-lsp-v0.9.29","vscode-ruby-lsp-v0.9.3","vscode-ruby-lsp-v0.9.30","vscode-ruby-lsp-v0.9.31","vscode-ruby-lsp-v0.9.32","vscode-ruby-lsp-v0.9.33","vscode-ruby-lsp-v0.9.5","vscode-ruby-lsp-v0.9.6","vscode-ruby-lsp-v0.9.7","vscode-ruby-lsp-v0.9.8","vscode-ruby-lsp-v0.9.9"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-34060.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}]}