Remote Code Execution Vulnerability in Ruby LSP by Shopify
CVE-2026-34060

7.1HIGH

Key Information:

Vendor: Shopify
Status: Ruby-lsp; Shopify.ruby-lsp
Vendor: CVE Published:; 31 March 2026

What is CVE-2026-34060?

Ruby LSP, which facilitates the Language Server Protocol for Ruby development, has a vulnerability that allows the execution of arbitrary Ruby code due to improper handling of user-configured settings. Specifically, in versions prior to 0.10.2 of Shopify.ruby-lsp and 0.26.9 of ruby-lsp, the rubyLsp.branch setting can inadvertently incorporate unsanitized data into a generated Gemfile. This flaw can be exploited when a user opens a project with a malicious .vscode/settings.json file, leading to significant security risks. It is essential for users to upgrade to the latest versions to eliminate this risk.

Affected Version(s)

ruby-lsp < 0.26.9

Shopify.ruby-lsp < 0.10.2

References

https://github.com/Shopify/ruby-lsp/security/advisories/G...

x_refsource_CONFIRM

https://github.com/Shopify/ruby-lsp/releases/tag/v0.26.9

x_refsource_MISC

CVSS V4

Score:

7.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 31, 2026
Vulnerability Reserved
Mar 25, 2026

CVE-2026-34060 Data

JSON